Update on the Facebook Hack Attack

Tech Update   •   October 2018

Update on the September 2018 Facebook Hack Attack

You may have noticed last month that Facebook was acting… weird. Duplicate friend requests, an unusual amount of activity on your newsfeed, messages sent from your account, seeing you are logged into devices across the country…

And then you heard the announcement at the end of last month from Facebook admitting an estimated 50 million to 90 million users who had their account hacked. Facebook stated it believed the “View As” feature was used in order to gain Access Tokens which would then allow the hackers to enter users’ accounts. Access Tokens, essentially digital keys, keep people logged into Facebook so they don’t need to re-enter passwords every time the app is used.

On Friday, Facebook provided an update to the ongoing investigation into how such a large breach of the social network took place. The update did provide “reassurance” in the fact the number of hacked accounts was closer to 30 million instead of 50 million but for about half of those hacked users (14 million), Hackers were able to access “Name and Contact Details (phone number, email, or both depending on what people had on their profiles)…Username, Gender, Locale/Language, Relationship Status, Religion, Hometown, Self-Reported Current City, Birthdate, Device Types used to access Facebook, Education, Work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searched.” Another 15 million had their Name and Contact Details (phone number, email, or both depending on what people had on their profiles) taken and for the remaining 1 million, hackers did not access any information.

How did this happen?

Facebook explains in their update the hackers exploited a vulnerability in the “View As” feature on Facebook, which allows you to see how your profile appears as if you were a specific friend or the general public.

According to the official update provided by VP of Product Development, Guy Rosen,

“The hackers initially controlled a set of accounts which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.

The “View As” feature is temporarily disabled.

How Do I Know if My Account was Compromised?

If you are unsure (or want to be doubly sure) your account was or was not one of the ones hacked, you can visit this page and scroll to the part that asks Is my Facebook account impacted by this security issue? You will see your answer in the blue box at the bottom of the page.

Facebook Hack Answer

Assuming Facebook believes your account has not been impacted, you should be in the clear. The other outcomes would include you in the 15 million that had their Name and Contact Details stolen or the 14 million who had most all of their personal information taken.

For the total of 30 million users who were affected by this breach, Facebook will send one of three personalized messages in the coming days.

Facebook Customized Messages Mocks

Facebook states there is no indication of the stolen information being used to gain access to other apps or abused in any other capacity at this time. They also state the attack did not affect integrated apps including “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.” They are cooperating with the FBI on the investigation and consequently will not release who they believe was behind the attack or personal motives.

In Sum

Be smart online, kids. Hackers are good. If they want to get you or your information, they will. But you can at least put yourself in the best position to not be a victim of one of these hacks. Don’t accept friend requests from people you don’t know, don’t answer calls from unrecognized numbers, don’t open emails that sound too good to be true. Read Wired’s Resist Phishing Attacks with Three Golden Rules.

More Reading:

Wired | How Facebook Hackers Compromised 30 Million Accounts

Full Press Call Transcript of the Facebook Update.