Facebook has issued an update for September’s security breach, advising the breach affected 30 million users, 20 million fewer than first thought, as well as revealing the kinds of data the attackers had access to during the incident.
The update on the original notification provided by the social network in September, which advised of a vulnerability where attackers could acquire access tokens used to authenticate a user’s token, advises the breach in fact affected just 30 million people, with the effects of the breach split roughly in half across the group.
Approximately 15 million people had their name and contact details, including phone number and email, accessible by the attackers. For 14 million people, the attackers were able to access a considerable amount of other data on top, all listed in their profiles.
The list of extra data includes usernames, genders, locale and language, relationship status, religion, hometown, self-reported current city, date of birth, device types used to access Facebook, education, work, the last 10 places the user was checked into or tagged in, website address, people or pages they follow, and the last 15 recent searches on the service.
For the remaining 1 million users whose tokens were acquired, the attackers apparently did not access the accounts at all.
Examples of customized messages Facebook will send out to affected users
Facebook is now advising concerned users to check the site’s Help Center to see if they were affected. In the coming days, users within the 30 million people identified by Facebook will be sent a customized message advising of what the attackers could have accessed, as well as ways to protect themselves.
The company notes the attack did not affect its other services, including Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts. Facebook also advises it will be looking for other ways the attackers used Facebook, along as watching out for smaller-scale attacks, and will continue to cooperate with the FBI, U.S. FTC, the Irish Data Protection Commission, and other authorities.