Just two weeks after it disabled the View As feature which was exploited through the vulnerabilities in three distinct software, Facebook has shared updates following its ongoing investigation into the massive data exploit.
The bug remained present in Facebook’s code between July 2017 and September 2018.
Facebook has confirmed that the attack only affects Facebook and that its other services were not affected with the exploit.
These include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.
The important key takes away:
First up, overall people affected is lower than the initial report, says Facebook about 30 million people’s access tokens were stolen and not 50 million reported originally.
The hackers used the automated technique to load Facebook profiles of 400,000 users to steal access tokens of their friends and friends of those friends. In total, they managed to steal the tokens of 30 million users.
This automated mirroring gave them access to users timelines, lists of friends, their Groups, including names of recent Messenger conversations.
Additionally, attackers could only gain access to message content “where a Group had a Page admin whose Page had exchanged message with someone on Facebook.”
Here is a breakdown of the attack:
- 15 million profiles had name and contact details including phone number, email, or both
- 14 million profiles in addition to name, contact also had other details such as username, relationship status, religion, hometown, self-reported current city, birthdate and more.
- Additionally, they also had listed device types used to get access to Facebook, education, work, last 10 places checked into or tagged in, website, people or Pages they follow, as well as 15 most recent searches.
- Other 1 million people though had their tokens stolen, but the attackers could not access any of their information.
Further, the company said they are also looking for other possible ways that attackers may have used on their network says it is working with authorities including the FBI, the US Federal Trade Commission, Irish Data Protection Commission and others to help nail down the attackers.
That’s not all, the social network company in the next few days will contact those affected explaining them about the information that attackers could have accessed.
Here is a look at the customized messages that people will see depending on the attack’s impact:
In addition, tips to stay protected from future incidents like suspicious emails, text messages, or calls will be provided too.
Back in April this year Facebook was found deleting messages that CEO Mark Zuckerberg and other executives had sent using its messaging platform Messenger.
As a result, the company had then announced to make this feature public.
Facebook has begun testing “Unsend Message” feature now revealed a tweet that includes two screenshots of the feature in Messenger.
The tweet suggests that the feature may soon become available to all users.
Here is a look at the new Messenger “unsend message” ability: