Remember that bug Facebook revealed two weeks ago that may have affected 50 million users if not more? Well Facebook has stated that 30 million of those user had their access tokens stolen by attackers according to a new updated posted by Facebook today.
This bug was part of Facebook’s “View As” tool, which allows allows you to view your profile as it would appear to someone else on Facebook. Attackers chained 3 vulnerabilities together to exploit a bug in this feature and steal a user’s, and their friends, access tokens. These access tokens could then be used to login to the associated account and provide full access to everything on it.
In a blog post today, Facebook has decided to downplay the attack to make it appear as less serious than it actually is.
“We now know that fewer people were impacted than we originally thought,” stated the Facebook’s update. “Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen. Here’s how it happened:”
Isn’t that great? Only 30 million.
According to the update, using accounts they already controlled, the attackers exploited the bug to steal tokens from approximately 400,000 users. The attackers then used some of those 400,000 accounts to steal the access tokens from a total of 30 million users.
“The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people,” stated Facebook’s blog post. “For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.”
Facebook also stated that the attackers did not have access to information related to other Facebook services such as Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.