Facebook said that the personal information of 14 million users—including their names, contact information, relationship status, religion, birth date, check-in locations and recent searches—had been stolen by hackers in a security breach that the company first made public two weeks ago.
In a blog post today, the social media company said another 15 million Facebook users’ names and contact information, which could have included email addresses and phone numbers, were accessed by hackers in the same security breach. Another 1 million Facebook users were vulnerable but did not have their private information stolen.
All in all, Facebook has determined that hackers got the ability to access 30 million users’ accounts during a large-scale attack on Sept. 14 and were able to steal personal information from 29 million accounts. That number is smaller than the original 50 million accounts Facebook estimated had been affected, something the company repeatedly emphasized on Friday.
The hackers exploited three vulnerabilities in Facebook’s code, which was first uploaded to Facebook on July 2017.
Hackers exploited 400,000 Facebook accounts to steal access tokens, which let Facebook users log in without re-entering their passwords. Those access tokens allowed hackers to view Facebook profiles as they would have appeared to the account owner, which would have included personal information, the names of recent Messenger conversations, the posts they made on personal timelines, their list of friends and the Facebook groups to which those users belonged.
Facebook first became aware of the attack on Sept. 25, when it noticed an unusual spike in activity, and it invalidated the access tokens of 90 million Facebook users as a precautionary measure two days later.
In a call with reporters today, Guy Rosen, Facebook’s vice president of product management, said that the company cannot rule out whether other users may have been affected in smaller-scale attacks that may have taken place between July 2017 and the large-scale attack on Sept. 14.
There’s still a lot of information Facebook has not provided, including the countries in which users were affected, the potential origin of the attack or the possible intention of the attackers. Facebook has said that it is not disclosing some information at the request of the FBI, which is investigating the breach.
Facebook did say Messenger and Messenger Kids accounts were not accessed by hackers, but that hackers may have been able to read messages in the event that the message was sent to a Facebook Page, and that an affected user was the administrator of that Page.
Facebook found no evidence that attackers were able to view or access advertising and developer accounts. Third-party apps, Instagram, WhatsApp, Workplace, Oculus or Pages were also not affected, Facebook said, and it stressed that full credit card or billing information would not have been visible to attackers.
The update is the first confirmation that millions of its users did, in fact, have detailed personal information scraped and stolen from their personal accounts. While it’s unclear to what extent the stolen personal information has already been used—Facebook’s investigation is ongoing, as are the investigations at the FBI and other law enforcement agencies—the ways in which stolen personal information, like birth dates, workplaces, emails and phone numbers, could be misused is troubling.
Facebook is already facing withering scrutiny and several investigations for its handling of user data and for its privacy policies. In March, tens of millions of Facebook users’ private information was mined by the political ad-targeting firm Cambridge Analytica. Facebook CEO Mark Zuckerberg said in an apology post the company had “a responsibility” to protect users’ data.
“If we can’t then we don’t deserve to serve you,” Zuckerberg wrote.
The latest breach is only the most recent stop on the Zuckerberg Apology Tour, which left the station in 2006 when the at-the-time young CEO apologized for the company’s News Feed rollout—one that angered users because of the lack of privacy controls.
The news of the scope of September’s breach comes four days after Facebook announced it was rolling out Portal and Portal Plus, its audio and video communications devices whose cameras follow you in your home.