[BreachExchange] Facebook downgrades breach count from 50 million to 30 million users

[Destry Winant]

https://www.zdnet.com/article/facebook-downgrades-breach-count-from-50-million-to-30-million-users/

Facebook said today the number of users who had their Facebook
authentication tokens stolen in a security breach that took place last
month is actually 30 million, and not 50 million, as the company
initially announced.

Attackers stole authentication tokens for these 30 million accounts,
but they also stole additional data for 29 million, Facebook said.

For 15 million users, attackers harvested name and contact details
(phone number, email, or both, depending on what people had on their
profiles).
For 14 million users, attackers harvested the same info as above, plus
username, gender, locale/language, relationship status, religion,
hometown, self-reported current city, birthdate, device types used to
access Facebook, education, work, the last 10 places they checked into
or were tagged in, website, people or Pages they follow, and the 15
most recent searches.
For 1 million, attackers only collected access tokens.

The social network said it's working with the FBI to identify the
attackers, and could not reveal additional information about the
source of the attacks.

But while answering questions in a phone conference today, Guy Rosen,
Facebook's VP of Product Management, said Facebook did not identify
attempts to use any of the stolen tokens.

Even if the attackers had tried to use the tokens, they wouldn't have
worked, Rosen said, the reason being that Facebook had invalidated all
the stolen tokens on September 28.

Rosen also said Facebook did not find any evidence suggesting the
tokens were used with the Facebook Login feature either, which would
have allowed the attacker to log into third-party apps via Facebook
tokens.

The Facebook exec also went into more details on how the attack
unfolded. He said attackers initially used accounts under their direct
control, which they had likely created, to exploit the vulnerability
in the "View As" feature and steal tokens for the friends of those
original accounts. They then used the same vulnerability over and over
again until they gathered tokens for around 400,000 accounts, which
Rosen referred to as "seed accounts."

Once they had the tokens for the seed accounts, Rosen said the
attackers used the tokens to access the 400,000 accounts and deployed
scripts to harvest even more tokens at a larger and automated scale.

This action triggered a massive traffic spike, which Facebook
engineers detected on September 16, and following investigations into
the source of the traffic concluded it was a coordinated attack on
September 26, patched the View As vulnerability on September 27, and
went public with the breach on September 28.

"In the coming days, we'll send customized messages to the 30 million
people affected to explain what information the attackers might have
accessed, as well as steps they can take to help protect themselves,
including from suspicious emails, text messages, or calls," Rosen
added separately, in a blog post.

Mockups of those messages are available below. Until then, Facebook
also launched a Help Center page where everyone can go and see if
they're one of the 30 million unlucky users who had their token
stolen.