Facebook on Friday has released new details about the massive hack that impacted millions of users last month.
The hack, which took advantage of a flaw in Facebook’s “View As” feature, allowed attackers to steal so-called access tokens and gain unauthorized access to accounts.
In today’s statement, Facebook revised its original estimate of compromised accounts. According to the latest results of its investigation, the attackers stole access tokens for about 30 million accounts (down from 50 million).
Of those 30 million, however, the hackers were able to steal the following data.
- 14 million accounts had their basic contact information, including name and email or phone number, stolen.
- Another 15 million accounts also had gender, religion, location, device information, and the 15 most recent searches stolen. (In addition to basic contact information.)
- Facebook says the remaining 1 million affected accounts had no information scraped.
Facebook also gave more specific details about the timeline of the attack.
Reportedly, the social media firm noticed a spike of activity on Sept. 14 but did not realize it was a malicious attack until 11 days later. Facebook fixed the vulnerability two days after that and reported the breach to users and privacy officials.
At this point, Facebook says it has no reason to believe the attackers posted anything while they were logged into the compromised accounts.
Similarly, there’s no indication that data was stolen from third-party platforms or apps attached to Facebook. That includes first-party apps like Instagram, Facebook Messenger or WhatsApp.
Facebook has said it will inform all 30 million impacted users in the coming days.
The social media giant also confirmed that the FBI is investigating the hack, but added that the agency “asked us not to discuss who may be behind” it.
It’s worth noting that, based on Facebook’s revised estimate, it seems that not all of the people who were logged out of their accounts last month were actually hacked.
What Do I Do?
If you’re curious about whether you’re among the 30 million users whose accounts were compromised, you can do so at Facebook’s Help Center.
Just scroll down to the bottom and you should see a notice notifying you whether or not your account was targeted in the attack.