Facebook shares details of September 2018 hack

On September 25, 2018, many Facebook users were surprised to open their app and see a login screen. As explained by their security team, many Facebook user’s security tokens (the code that keeps users consistently logged in) were deleted by the company, after a malicious attack on the site.

Facebook Security Hack

The social media giant offered transparency and a full report about the incident and the extent of it. Earlier today, the company issued a release that states the number of accounts compromised, their plans to rectify the issue, and the data that may have been stolen by hackers.

Facebook is one of the biggest companies on the Internet and plays parent to a myriad of other social sites and apps. They currently own Instagram, WhatsApp, and the virtual reality company, Oculus. This pairs with their very own home-grown products such as Messenger Kids and Facebook for Workplace.

In a detailed report issued by Facebook, they have come forward with all findings from the attack. These are the highlights from the report:

  • The attackers used a vulnerability in the site’s code that had been in place since July 2017, till the date of the attack. This compromised the “View As” feature on Facebook, which allowed users to look at their accounts through another person’s perspective, to see how much information is visible to them.
  • The vulnerability allowed a user’s Facebook access token to be viewed. An access token is what allows users on the social media site to return to the page repeatedly without logging in unless they log out themselves.
  • The attack was first picked up on September 14, 2018, after an unusual spike in activity was detected, and this is when the investigation started. By September 25, the attack was verified and terminated within 2 days.
  • The vulnerability was closed and user accounts, who Facebook suspected as compromised, were forced to login again due to their access tokens being reset.
  • ‘View As’ has been turned off until the issue is properly rectified to stop the incident from recurring. The FBI has also been involved in the investigation to find the culprits. Facebook has been asked by the agency to not reveal details regarding the attackers.
  • The number of compromised accounts is significantly lesser than originally anticipated. From the original 50 million people suspected of having their access token stolen, the number is now down to 30 million.
  • The hackers used 400,000 compromised accounts to create a snowball effect, by having people click on a link that allowed for the attack to be executed.
  • The hackers used friends of these 400,000 accounts to create a ripple effect (i.e. hacked account would send malicious link to their 120 friends. 80 or so would click the link and it spread from there.)
  • Facebook shared a breakdown of data stolen:
    • 15 million people had two sets of information accessed: contact details (e-mail, phone number) & name.  
    • 14 million people also had the above two sets accessed in addition to other details like username, gender, language, relationship status, birthdate, device type used to access Facebook & more.
    • 1 million users did not have any information compromised.
  • Facebook has set up a Help Center page to answer the big question: “Was I hacked?”. You can visit this page to find out.

Facebook says it will contact the compromised accounts and brief them on what data may have been accessed and steps those users can take to better protect themselves.

Facebook also confirmed that Messenger, Instagram, Messenger Kids, Oculus, Pages, Payments, third-party apps, or any other relevant branch of the website were not compromised. This means credit card information for Facebook ads or other sensitive information is still safe. For now, the social media giant will continue investigation with the FBI, the US Federal Trade Commission (FTC), Irish Data Protection Commission, and other authorities to handle the issue.