Facebook recently disclosed that data of nearly 30 million accounts were compromised. The number was significantly lower than what was first reported i.e. 50 million accounts. The social network giant also assured that the hackers were able to access only the name, the phone number and the email address from the breached accounts. More sensitive data like passwords, or financial information were not accessed by the attackers.
Still, for users who were uneasy about the privacy and security of the data on their Facebook accounts, the details that hackers did gain access to — gender, relationship status, hometown and other info — might be even more unsettling.
Facebook has been quick to let users check exactly what was accessed. But beyond learning what information the attackers accessed, there is relatively little that the users can do — beyond, that is, watching out for suspicious emails or texts. Facebook says the problem has been fixed.
The company has set up a website where its users can check if their accounts have been accessed, and if so, exactly what information was stolen. It will also provide guidance on how to spot and deal with suspicious emails or texts. Facebook will also send messages directly to those people affected by the hack.
On that page, following some preliminary information about the investigation, the question “Is my Facebook account impacted by this security issue?” appears midway down. It will also provide information specific to your account if you’re logged into Facebook.
Facebook said the hackers accessed names, email addresses or phone numbers from these accounts. But, here's something that they didn't tell overtly.
For 14 million of them, hackers got even more data — basically anything viewable on your account that any of your friends could see, and more. It’s a pretty extensive list: username, gender, locale or language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places you checked into or were tagged in, your website, people or Pages you follow and your 15 most recent searches.
An additional 1 million accounts were affected, but hackers didn’t get any information from them. The company isn’t giving a breakdown of where these users are, but says the breach was “fairly broad”. It plans to send messages to people whose accounts were hacked.
Facebook Vice President Guy Rosen said that the FBI is investigating, but asked the company not to discuss who may be behind the attack. Also, the company hasn’t ruled out the possibility that other parties might have launched other, smaller-scale efforts to exploit the same vulnerability before it was disabled. The company said it has fixed the bugs and logged out affected users to reset those digital keys.
Patrick Moorhead, founder of Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.
“Those personal details could be very easily be used for identity theft to sign up for credit cards, get a loan, get your banking password, etc.,” he said. “Facebook should provide all those customers free credit monitoring to make sure the damage is minimized.”
Thomas Rid, a professor at the Johns Hopkins University, also said the evidence, particularly the size of the breach, seems to point to a criminal motive rather than a sophisticated state operation, which usually targets fewer people.
“This doesn’t sound very targeted at all,” he said. “Usually when you’re looking at a sophisticated government operation, then a couple of thousand people hacked is a lot, but they usually know who they’re going after.”