In a way, this is good news, given that when Facebook previously said it thought as many as 50 million users had been affected.
But Facebook is also describing some of the data that was accessed, and it's truly exhaustive. Before we get too deep into the weeds of how Facebook says the attack happened and what it's doing about it now, here's how to tell if you're one of the 30 million or so people affected.
Fortunately, this is pretty easy to find out. Simply log into Facebook, and navigate to the Facebook Help Center. (You can't be to careful where you're clicking, but the link is on Facebook itself: facebook.com/help/securitynotice.)
On that page, you'll see a roughly 335-word description of the issue, followed by a light blue box. If everything's okay, you should see a simple message within the box:
Is my Facebook account impacted by this security issue?
Our investigation is still ongoing, but based on what we've learned so far, the attackers did not gain access to information associated with your Facebook account.
If you see anything different, at least you'll know that there's something to be concerned about. Facebook says that "in the coming days" it will send:
customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.
While you're doing this, you should also take the time to check your Facebook privacy settings, as I described how to do previously. You might truly be surprised by how much data Facebook has on you.
In the meantime, here's the overview of what Facebook says happened here:
- First, attackers exploited a vulnerability in the site's code that apparently resulted from three separate bugs, from July 2017 to September 2018. In short, it allowed hackers to generate tokens that allow access to user profiles.
- The attackers had access to a limited number of accounts to begin with, and it's not clear if these were bogus to begin with, but they were connected to other "friends" on the site. Then, they "used an automated technique to move from account to account so they could steal the access tokens of those friends," and then friends of those friends. Ultimately this got them access to about 400,000 people.
- Ultimately, the hack metastasized across the network, accessing about 30 million total profiles.
Not every account was accessed in the same way. Facebook says for 15 million of the compromised accounts, the attackers basically just got names and contact details such as "phone number, email, or both, depending on what people had on their profiles."
For another 1 million people, the hackers got access, but weren't able to obtain any information.
The 14 million remaining people had the most information accessed, however, including:
- contact information
- relationship status
- self-reported current city
- device types used to access Facebook
- the last 10 places they checked into or were tagged in
- people or Pages they follow, and
- their 15 most recent searches.
That's truly a mother lode. I suppose it's that that there doesn't seem to be any immediate indication that financial information was accessed.
And Facebook is quick to point out that the attack appears limited to Facebook personal accounts, not Messenger, Instagram, WhatsApp, Oculus, or other Facebook products. But the investigation is clearly ongoing.
"As we look for other ways the people behind this attack used Facebook," the company said, "as well as the possibility of smaller-scale attacks, we'll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities."