The number of Facebook accounts left exposed due to a security issue exploited by attackers was lower than the company previously thought but the accounts subject to the breach had information like name and contact details accessed, Facebook said.
According to Facebook, about 30 million people actually had their access tokens stolen not 50 million as the company had previously thought. In an update Friday, Facebook said it is cooperating with the FBI, which is investigating and has asked the company not to discuss who may be responsible for the attack.
“We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate,” the company said in a statement.
Facebook also revealed what information the attackers accessed for the accounts that had access tokens stolen. The company said 15 million people had their name and contact details (phone number, email, or both, depending on what people had on their profiles) accessed. For 14 million people, Facebook says attackers that same information as well as other details they had on their profiles like username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or ages they follow and the 15 most recent searches.
The remaining 1 million people did not have any information accessed.
“In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls,” Facebook said.
The company’s investigation began when it saw an unusual spike in activity Sept. 14. Facebook determined that it was an attack on Sept. 25 and identified the vulnerability, which has since been fixed. The “View As” feature impacted by the vulnerability has been turned off temporarily.
The attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts, Facebook said.
This report is being updated.
Photo by Andrew Harnik/Associated Press