At the end of last month, Facebook made a bombshell disclosure: As many as 90 million of its users may have had their so-called access tokens—which keep you logged into your account, so you don’t have to sign in every time—stolen by hackers. Friday, the company put the actual number at 30 million. Here’s how to see if you were one of them, and if so, what the hackers got from your account.
There might understandably be some confusion around the matter; a few weeks ago, Facebook logged out 90 million of its users out of an abundance of caution, making them reset their passwords and negating the access token hack. Over the next few days, Facebook will insert a customized message into the News Feeds of the 30 million people whose accounts were actually impacted, based on the extent of the damage.
“People’s accounts have already been secured by the action we took two weeks ago to reset the access tokens for people who were potentially exposed—no one needs to log out again, and no one needs to change their password,” says Guy Rosen, Facebook’s vice president of product management. “We’ll be explaining what information the attackers may have accessed as well as steps they can take to help protect themselves from any suspicious emails or text messages or calls that could potentially result from this kind of information being exposed. “
If you don’t want to wait for the message to hit your News Feed to find out if you’re okay, go ahead and see if you were among those hit at this page. Scroll past the background paragraph, and you’ll see a header that reads Is my Facebook account impacted by this security issue?
From there, you’ll see one of three outcomes. If it says that based on what Facebook knows so far, you’re not impacted, you should be in the clear pending any revelations. The company says that one million of the 30 million people who had their access tokens stolen didn’t have any of their data comprised.
The remaining 29 million users will see one of two messages, depending on the extent of the damage. Fifteen million of them had their name, email addresses, and phone number accessed by hackers. While that’s not ideal by any accounting, the remaining 14 million Facebook users are left with a much worse result.
In addition to the basic contact information above, the list of details hackers accessed is long: username, date of birth, gender, devices you used Facebook on, and your language settings, at the very least. If you filled out the relationship status, religion, hometown, current city, work, education, or website sections of your profile, they got that too. And most unsettling of all, they could have accessed the 10 most recent locations you checked into or were tagged in, and the 15 most recent searches you’ve entered into the Facebook search bar.
“No one needs to log out again, and no one needs to change their password.”
Guy Rosen, Facebook
Facebook says they’ve seen no signs yet that attackers used its access tokens to infiltrate third-party apps and services, as was technically possible. And it maintains that no account passwords or credit card information was compromised. But the amount of information, and its sensitive nature, should be a boon to phishers and scammers for years to come. You can change your password or cancel a credit card. Your hometown will always be just that. And where you’ve been and whom you’ve searched for are deeply personal parts of your life, both online and in the real world.
Facebook at least acknowledges this in its support page, offering some advice about how to avoid phishing attempts, like being “cautious of unwanted phone calls, text messages or emails from people you don’t know.” Presumably, you were doing this anyway. The rest of the advice is similarly rudimentary, but that’s in part because there’s only so much you can do to stop that kind of attack. If a determined phisher wants to get you, they almost certainly will eventually. Especially if they have access to the kind of data that Facebook’s security fail has given away.