An online attack that forced Facebook to log out 90 million users last month directly affected 29 million people on the social network, the company said Friday as it released new details about the scope of the incident. When it first reported the breach Sept. 28, Facebook said the number of those affected was about 50 million.
Through a series of interrelated bugs in Facebook's programming, unnamed attackers stole the names and contact information of 15 million users, Facebook said. The contact information included a mix of phone numbers and email addresses.
An additional 14 million users were affected more deeply, by having additional details taken related to their profiles such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow.
A smaller slice of people were more heavily affected. About 400,000 people served as the hackers' entry point to the 30 million others on Facebook. For those 400,000, the attackers could see what the users see as they look at their own profiles. That included posts on their Facebook time lines, and names of recent Facebook Messenger conversations.
At the time, Chief Executive Officer Mark Zuckerberg -- whose own account was compromised -- said attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.
Facebook said last month that it detected the attack when it noticed an uptick in user activity. An investigation soon found that the activity was linked to the theft of security codes that, under normal circumstances, allow Facebook users to navigate away from the site while remaining logged in.
The bugs that allowed the attack to occur gave hackers the ability to effectively take over Facebook accounts on a widespread basis, Facebook said when it disclosed the breach. The attackers began with a relatively small number of accounts that they directly controlled, exploiting flaws in the platform's "View As" feature to gain access to other users' profiles. (The "View As" feature is designed to allow users to view their own profiles as though they are somebody else.)
Facebook said it is cooperating with federal and other authorities on its investigation, but said the FBI had advised the company not to discuss who may be behind the attack.
The 29 million affected users, along with 1 million whose security tokens were taken but did not appear to have their data stolen, will be receiving customized messages from Facebook identifying specifically which types of information on their profiles, if any, were involved in the breach. Facebook executives told reporters Friday that the company will also try to reach affected users who have since deleted their Facebook profiles.
Facebook has also established a Web page at facebook.com/help/securitynotice?ref=sec that will inform its 2 billion users who are logged in whether their accounts were affected. It will also provide guidance on how to spot and deal with suspicious emails or texts. Facebook will also send messages directly to those people affected by the hack.
What may have motivated the attackers is still unclear; despite mounting concerns about election security as U.S. officials count down to a highly contested midterm election, Facebook said there was no indication the hack was specifically related to the U.S. electoral process.
"We don't have a specific indication as to the intention of the hackers," said Guy Rosen, Facebook's vice president of product management.
Patrick Moorhead, founder of Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.
"Those personal details could be very easily be used for identity theft to sign up for credit cards, get a loan, get your banking password, etc.," he said. "Facebook should provide all those customers free credit monitoring to make sure the damage is minimized."
Thomas Rid, a professor at the Johns Hopkins University, also said the evidence, particularly the size of the breach, seems to point to a criminal motive rather than a sophisticated state operation, which usually targets fewer people.
"This doesn't sound very targeted at all," he said. "Usually when you're looking at a sophisticated government operation, then a couple of thousand people hacked is a lot, but they usually know who they're going after."
Facebook's disclosure puts the company under even greater pressure as policymakers have taken the company to task over its approach to user privacy and data.
The security breach comes at a time when the Menlo Park, Calif.-based company is desperately trying to regain trust with its users. Facebook has been under fire since it was learned earlier this year that personal information was transferred by an app developer to Cambridge Analytica, a political consulting firm that worked for Donald Trump's 2016 presidential campaign. The company has spent months trying to update its security and answer questions about the scandal from U.S. lawmakers and overseas policy makers.
Information for this article was contributed by Brian Fung of the The Washington Post and by Sarah Frier of Bloomberg News and by Mae Anderson of The Associated Press..
Business on 10/13/2018