October 15, 2018 // 11:30 a.m.
Social networking giant Facebook has released more details of the attack on its system that saw the personal details of its users exposed through token manipulation, reducing its scope from 50 million to 30 million accounts.
Facebook announced the breach late last month, having detected the issue on September 25th: A flaw in the company's 'View As' system, which allows users to view their profile and other pages as though there were a different user, allowed attackers to obtain access tokens for arbitrary user accounts - giving them access to supposedly-private information without having to know the password associated with said accounts.
At the time, Facebook vice president of product management Guy Rosen indicated that around 50 million user accounts were exposed by the vulnerability, with another 40 million having been potentially exposed by their use of the 'View As' feature. Now, Rosen is reducing that estimate down to around 30 million who 'actually had their tokens stolen.'
'First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totalling about 400,000 people,' Rosen explains of the attack methodology in a press release on the matter. 'In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.
'The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.'
While the news is better than it was, both in terms of the number of users affected and confirmation from Facebook that third-party services using Facebook as an authentication system were not affected as had previously been feared, a 30 million strong breach is still bad news - and it has occurred in the era of the General Data Protection Regulation (GDPR), which allows for hefty fines against companies who should have taken better care of user data. Thus far, none of the authorities investigating the breach have commented on Facebook's culpability in the matter.