It's better to be safe than sorry when it comes to data breaches. While overstating the problem runs the risk of inspiring panic, understating it can lull people into believing it wasn't that big a deal. Facebook opted for the first approach in September when it revealed an attack that it believed affected 50 million and may have impacted 40 million. But today, it said only 30 million people were truly affected. Also interesting is that it seems whether or not Facebook knows who the crooks were, the U.S. government has asked it to keep their identity mum.
The attack exploited a vulnerability in Facebook's network that existed from July 2017 to September 2018. The company suspected an attack on September 14, confirmed it on September 25 and patched the problem by September 27. It publicly revealed the issue on September 28.
Facebook also notified the FBI, which is currently investigating the issue and has asked the company not to discuss who may be responsible for the attack:
"We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack," Facebook said.
In addition, Facebook said it's cooperating with U.S. Federal Trade Commission, Irish Data Protection Commission and "other authorities".
Facebook said the vulnerability resulted from "a complex interaction of three distinct software bugs" involving the "View As" feature that lets people see how much information their profile exposes to people they aren't friends with on the website. The attackers could exploit this vulnerability to compromise the access tokens used to let people use Facebook without having to sign in every time. Those access tokens could then be used to take over accounts.
The attackers were said to have already had control over several accounts. They used those accounts to steal information from their friends and their friends of friends to affect roughly 400,000 people in the first wave. Repeating that process ultimately led to 30 million accounts being affected by the attack. That's fewer than Facebook anticipated, which is welcome news, but it still means a lot of people were compromised by the hack.
Facebook said the unidentified group didn't collect the same information about everyone affected by their attack. The company broke it down:
"For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow and the 15 most recent searches. For 1 million people, the attackers did not access any information."
The company was also careful to note that this attack only affected Facebook proper, not Instagram, Oculus, et cetera. Facebook users can see if they were affected by checking the Help Center; Facebook also plans to notify the 30 million affected users to "explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls."
Unfortunately the ramifications of this vulnerability won't be fully revealed with this report. Facebook still has to determine if smaller attacks were able to compromise access tokens via the "View As" feature and will also continue its investigation into this attack. Data breaches often grow in scope as companies do more digging, so while the shift from 50 million down to 30 million is promising, it's also not the whole story.