Facebook today revealed more information about the September data breach that potentially affected up to 50 million users. Now we know roughly what information the attackers accessed, and the number of people they had access to — as well as a help service for those who were effected.
According to Guy Rosen VP of Product Management (who’s really had to be on the front lines with regards to the multiple security incidents):
We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.
The attackers apparently used some kind of automated method of grabbing access tokens from friends of accounts they already controlled. They eventually worked their way up to the 30 million number.
According to Rosen, the victims break down thus: Attackers stole name and contact details for 29 million users — including phone numbers and email addresses. Of that number, 14 million users had further details exposed, including gender, religion, device types, birthday, last checked-in locations, who and what they follow, and most recent searches. A scant 1 million didn’t have their data accessed at all.
Facebook candidness, and its creation of a page where users can assess their own safety is commendably helpful. I realize there’s something off about being grateful Facebook‘s displaying the base level of technological decency, but still. It’s certainly more encouraging than the cover-up by Google that led, this week, to the unfortunate demise of Google+.
Rosen also specified that this breach only affected Facebook, and not Instagram, WhatsApp, or any other apps. According to TechCrunch, the company is cooperating with the FBI, but are not allowed to speculate about who may be behind the attack.