Facebook released more details about the security flaw two weeks ago, where 30 million—down from the original 50 million estimate— users had their information stolen. Originally, they admitted they hadn’t determined whether the affected accounts were misused or any information was accessed.
Now, the popular social media site is working with the FBI and detailing what data was stolen and how it happened.
Facebook confirmed that only 30 million people had their access tokens stolen. Access tokens are what keeps users logged into Facebook on their devices without having to enter their password each time they use the site.
While 30 million users had their access tokens stolen, not all of the same information was stolen.
For 15 million people, their names and contact information was stolen, meaning email addresses and phone numbers for people who had those listed.
Another 14 million people had information about their username, gender, location/language, relationship status. As well as religion, hometown, workplace, education, current city and birth date.
This is in addition to the devices you use to log into and, of course, your name and contact information.
For the remaining 1 million people, it appears no information was accessed by what Facebook calls “attackers.”
Facebook is now working with the FBI to figure out who these “attackers” were.
“We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” says Guy Rosen, VP of product management at Facebook.
How did this happen?
The security breach was fault of a vulnerability within the “View As” feature. This feature allows users to see what their own profile looks like to someone else.
This vulnerability lead to attackers being able to steal 30 million users access tokens.
Facebook explained that the attackers already controlled a set of accounts connected to other users via the friend feature.
The attackers used the “View As” feature on different “friend’s” accounts, stealing access tokens along the way. Through the “View As” feature, they were also able to see who was friends with that account and steal their access tokens as well.
Around 400,000 people were accessible through this set of accounts. As well as those 400,000 people’s friends and anyone else they were in contact with on the site.
Other Facebook apps such as Instagram, Messenger, WhatsApp, Workplace, Pages and payments were not affected.
People can see if they were affected by visiting the Help Center. Facebook is also reaching out to the 30 million people affected by the data breach.