After two weeks of investigation, Facebook announced additional details on Friday of how attackers carried out a massive breach of the social network that compromised accounts for tens of millions of users. The company downgraded its estimate of how many users had their access tokens stolen from an original estimate of at least 50 million to 30 million—and shed new light on exactly how an attack of this magnitude happened in the first place.
Facebook had previously said that hackers took advantage of three vulnerabilities in the “View As” feature—which lets users see what their profile looks like to other users—to grab access tokens that could then allow them to infiltrate user accounts. The flaws had been present in the platform since July 2017, but the company first detected a rise in suspicious activity on September 14 of this year. That eventually led it to discover the bugs, and the attack they enabled, on September 25.
“With these access tokens an attacker could get into people’s accounts,” Guy Rosen, Facebook’s vice president of product management, told reporters in a call on Friday. “We’re looking at approaches that could address this class of problem and, ensuring that we can catch them faster and minimize their impact.”
The attackers would have been able to access all of a user’s basic information.
Facebook says it is cooperating with the FBI, and can’t reveal any findings about the identity of the hackers or their possible motivations, but the attack seems to have been well-coordinated, with the right infrastructure in place to quickly begin fanning out and exfiltrating data. The attackers used a group of established seed accounts that they controlled to exploit the vulnerabilities and steal access tokens from their accounts’ friends, friends of friends, and so on.
By automating this process, the hackers ultimately took over 400,000 accounts, through which they loaded what were essentially mirrors of what users would see when they looked at their own profiles. This means the attackers would have been able to access all of a user’s basic information like places lived and contact information, but also things like their friends, groups they were in, posts on their timelines, and names of people they had messaged with recently in Messenger.
“The 400,00 accounts are the ones where [the attackers’] script loaded the ‘View As’ view, so that actually loads the Facebook profile for that person, and as part of that, when that web page loads and renders in their script it would have included … things like their posts on their timeline, list of friends or groups they’re members of,” said Rosen.
Attackers couldn’t see the contents of messages, unless the compromised user was a Facebook Page administrator, in which case incoming messages were visible. Facebook has concluded that the attack did not impact data in the company’s related services including Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, and developer accounts. Full credit card numbers also would not have been visible to the attackers, and Facebook says it doesn’t have evidence that the attackers accessed the last four digits of user credit cards.
From the first round of 400,000 compromised accounts, though, the attackers continued to compromise access tokens, ultimately spring-boarding to 30 million total. Within the broad 30 million there were three groups. For 15 million accounts, the attackers specifically accessed names and contact information phone numbers, email addresses, or both based on what a particular user listed. On 14 million accounts the attackers took all of that information, plus more granular profile data.
Rosen wrote on Friday that additional information that may have been stolen from this second group included “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
The attackers didn’t access any information on the remaining one million accounts. Here’s how to find out if, and how badly, you were affected.
Facebook wouldn’t comment on Thursday about the geographic breakdown of impacted users, but Rosen described the attack as having a “fairly broad” global impact. He also reiterated that Facebook hasn’t found evidence that the attackers used stolen access tokens to compromise third-party accounts that incorporate Facebook’s login scheme. Facebook released a tool to third-party developers last week that allows them to check whether any of their user accounts were compromised during this incident.
Facebook repeatedly emphasized its swift action in investigating and remediating the attack, but wouldn’t elaborate on why it didn’t take more precautionary steps between September 14 when it first identified suspicious traffic, and September 25 when the company had concluded that the activity was indicative of an attack, identified the vulnerability, and patched it. “There was a spike in activity, these things do happen, there is always variation in how Facebook is used over the course of any given day,” Rosen said. “This was unusual which is what triggered this investigation and prompted us to dig and understand what was going on and eventually uncover that this was in fact a security issue.”
Facebook says it hasn’t seen evidence yet of the stolen data being abused in the wild, and the company now feels more confident in its assessment of what data was taken and which users were impacted. Rosen noted, though, that some aspects of the situation remain unknown. Facebook is continuing to investigate other ways that the hackers may have abused the platform, and hasn’t ruled out the possibility that other attackers exploited the three bugs to launch similar assaults under the radar.