After an initial Facebook revelation that claimed 50 million user accounts had been affected by a breach, the social media giant is now stating that 30 million user accounts actually had their access tokens stolen.
Access tokens, or digital keys, allows access to an account without the need for credentials in passwords – enabling anyone with possession of the tokens to compromise user accounts.
Curiously, the attackers used “an automated technique” from a handful of accounts already under their control to target connected accounts of the victims’ friends. Spreading from account to account, they stole access tokens of their subsequent friends, and friends of friends, snowballing to total nearly 400,000 people.
Alarmingly, that attack spread quickly, with Rosen stating:
The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people.
Of the 30 million users, half of them have had their names and contact details exposed, including phone numbers, emails or both. A further 14 million people have had a number of other identifiable and personal information.
The Facebook executive wrote:
For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
Facebook says it will send “customized messages” for those affected by the attack, with suggestions to take precautionary measures of protection from suspicious emails, texts and calls.