With many data breaches, the initial assessment of the impact is less than what the actual total ends up being. The opposite, however, is true with Facebook, which released a revised lower estimate for the number of people involved in its latest data breach.
On Oct. 12. Facebook said that only 30 million people were impacted by a data breach of its access token system, down from the 50 million the company originally estimated on Sept. 28. As a result of the breach, Facebook had actually reset the access tokens for 90 million users, out of an abundance of caution.
“We moved extremely fast two weeks ago to understand all of the users that were exposed to the vulnerability and users that may have been affected by this attack,” Guy Rosen, vice president of product management at Facebook, said during a press call on Oct. 12. “We thought that 50 million were affected by this attack, but over the course of investigation in the past two weeks that it was 30 million.”
Rosen also provided new details on how the attack was executed against three different groupings of Facebook users. The first group was made up of 400,000 seed accounts that attackers were able to steal access tokens from. The attackers moved from account to account using an automated script collecting token repeatedly.
“This script automatically loaded those account Facebook profiles, essentially mirroring what these 400,000 people would have seen when looking at their own profiles in a web browser,” Rosen said. “That would have included things like post on their timelines and their friends groups.”
The second group included 15 million Facebook users where the attackers were able to use the access token theft to access users’ information, including name and contact details. The third group included 14 million Facebook users, with attackers getting the same access as they did with the second group, including additional profile details such as gender, relationship status, birthday, recent searches and the last 10 places the person had checked into.
No Third-Party Apps Impacted
Facebook had initially warned that third-party apps that made use of Facebook credentials to authenticate users were also at risk. After further investigation, it turns out that no third-party users were breached.
“We have confirmed that there is no evidence these attackers accessed third-party apps using Facebook login, as well as any developer who uses our official Facebook SDK,” Rosen said.
Rosen said that any app that regularly checks the validity of the Facebook access tokens they get were automatically protected two weeks ago, when Facebook reset users’ access tokens.
“Last week out of an additional abundance of caution, we also built a tool to enable developers to manually identify any users of their apps who may have been exposed so that they can conduct their own investigations,” he said.
Facebook is not publicly providing any attribution on who might be behind the attack or if it is nation-state or politically motivated.
“We are working on this investigation and cooperating with the FBI, and they’re actively investigating this with us,” Rosen said. “They’ve asked us not to discuss who may be behind this attack and what their intentions could be.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.