On September 28, Facebook said a newly discovered flaw in the social media platform may have given hackers access to almost 50 million accounts. It did not say how many accounts were actually hacked though. As it turns out, the data of nearly 30 million users has been stolen in the breach, a Facebook investigation has now confirmed. Although Facebook says that “fewer people were impacted than we originally thought,” 30 million is still a massive number, enough to raise serious concern among users.
Facebook has been able to find out exactly what kind of data was stolen. “For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information,” Facebook said on its official blog.
The said data was stolen by hacker(s) between September 14 and September 17, 2018 and used what Facebook calls access tokens. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” according to Facebook. Facebook says it has since fixed the flaw but it had to also reset the access tokens of around 90 million users post the breach.
As a result impacted users were briefly logged out of their Facebook accounts and needed to sign in again in order to gain access. It would appear, a change in user password, was also the collective need of the hour although Facebook does not categorically say that users need to do that. “There’s no need for anyone to change their passwords,” it says.
Now that we’ve come to know the exact number of accounts that were hacked in the breach, the next step is to obviously find out if you were hacked.
You can find out if you were hacked or not by visiting Facebook’s Help Centre. You will find different set of messages (notifiers) depending on whether or not your account was hacked.
— If you were hacked:
“In the coming days, we’ll (Facebook) send customised messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.”
— If you were not hacked:
“Based on what we’ve learned so far, your Facebook account has not been impacted by this security incident. If we find more Facebook accounts were impacted, we will reset their access tokens and notify those accounts.”
Facebook says it has fixed the vulnerability and has reset the access tokens of all those hacked. If you’re account wasn’t breached, well, good for you. And if yes, Facebook says hackers will not be able to retrieve any more information (that what they have already had access to) from your compromised accounts.
