Cyber attackers stole data from 29 million Facebook accounts using an automated program that moved from one friend to the next, Facebook said on Friday, claiming that its largest-ever data theft hit fewer than the 50 million profiles it initially reported.
The company said it will message affected users over the coming days to tell them what type of information had been accessed in the attack, Reuters reports.
The attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users.
For the other 15 million users, the breach was restricted to name and contact details. In addition, attackers could see the posts and lists of friends and groups of about 400,000 users.
Facebook Vice President Guy Rosen told reporters that the US Federal Bureau of Investigation has asked the company to limit descriptions of the attackers due to an ongoing inquiry.
Rosen revealed that while the attackers’ intent has not been determined, they did not appear to be motivated by the upcoming US mid-term Congressional election on Nov. 6.
He said the attack affected a “broad” spectrum of users, but declined to break down the number affected by country.
Facebook said it is continuing to investigate whether the attackers took actions beyond stealing data, such as posting from accounts, but had not found additional misuse.
The social media giant will “do everything we can to earn users’ trust,” Rosen was quoted as saying.
The vulnerability the hackers exploited existed from July 2017 through late last month, when Facebook noticed an unusual increase in the use of its “view as” feature.
That feature allows users to check privacy settings by glimpsing what their profile looks like to others. But three errors in Facebook’s software enabled someone accessing “view as” to post and browse from the Facebook account of the other user.
The attackers used the “view as” flaw with “a small handful” of accounts they controlled to capture data of their Facebook friends, then used a tool they developed to breach friends of friends and beyond, Rosen said.
Facebook patched the issue last month and asked 90 million users to log back into their accounts, many just as a precaution.
– Contact us at [email protected]