Facebook revises ‘View As’ hack numbers, says 30 million users were targeted

The company originally estimated that approximately 50 million users were affected

Facebook Android app

Menlo Park social networking giant Facebook has revised the total number of users affected by the ‘View As’ hacks that took place between September 14th, 2018 and September 25th, 2018.

According to Guy Rosen, Facebook’s vice president of product management, the social network now estimates that approximately 30 million users were targeted, rather than the 50 million people users that was initially estimated.

Rosen used an October 12th, 2018 phone call with reporters and an October 12th media release to expand on the details of the hack.

The hack itself was able to take place due to three specific bugs that impacted Facebook’s ‘View As’ feature that lets users see what their accounts look like to other people.

By using the View As feature, hackers were able to steal access tokens — digital keys that keep people logged into Facebook so they don’t have to re-enter their login credentials every time they use Facebook and a Facebook-linked app — to mimic Facebook user accounts.

According to Rosen, hackers used an automated script to steal the access tokens of approximately 400,000 users. They used those tokens to mirror what those 400,000 users would have seen when they used the View As feature.

“That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations,” wrote Rosen, in the October 12th media release.

“Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

Using the initial batch of 400,000 users, hackers then stole the access tokens of approximately 30 million more people.

Of that 30 million figure, hackers were able to access two sets of personal information for 15 million users: names and contact details, including phone numbers and email addresses.

For the remaining 14 million users affected by the breach, hackers were able to access names and contact details, as well as additional details that were available on user profiles.

“This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches,” wrote Rosen.

Strangely enough, hackers didn’t access the information of approximately one million additional users.

Rosen added that the attack didn’t include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.

Additionally, Rosen reiterated that third-party apps that use Facebook Login as an authentication measure were not included in the hack.

Additionally, Rosen told reporters that the attackers didn’t post anything on user profiles.

During the media call, Rosen explained that Facebook had been asked by the U.S. Federal Bureau of Investigations (FBI) to not comment on possible motives, as well as to avoid discussing geographic breakdowns of either the attackers’ or the hacked users’ whereabouts.

The Office of the Privacy Commissioner of Canada previously confirmed to MobileSyrup that Facebook had alerted Canadian authorities of the breach.

Facebook will be personally reaching out to users affected by the breach, including any former users who may have deleted their accounts in the wake of the breach.

Any users concerned about their status can use Facebook’s help centre to check if their information was included in the breach.

Source: Facebook