Facebook Hacking Incident Downplayed to Just 30 Million Victims

Facebook has recently downplayed the number of accounts that were earlier affected by the Facebook breach weeks ago. From the high of 50 million accounts from their further systems audit, the actually affected accounts are adjusted down to 30 million. This downgrade is at the backdrop of Facebook’s continued denial of offering a free or discounted fraud protection for affected users.

“We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen. The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles,” explained Guy Rosen, Facebook’s VP of Production Management.

This time Facebook is brave enough to disclose that the users affected by the breach had the following information stolen:

1. Username
2. Gender
3. Language
4. Civil Status
5. Religion
6. Hometown
7. Current City
8. Birthdate
9. Device type used for accessing Facebook
10. Education
11. Work
12. Last 10 places tagged in
13. Last 10 websites followed
14. Last 10 people or FB pages followed
15. 15 most recent search terms

The social media giant mentioned that it will send individual personalized messages to the 30 million users involved with the data breach. The company promised each user will receive a detailed explanation of the cause of the incident, what Facebook is doing its best to remedy the problem and assure it will not happen in the future. However, since the start, Facebook is known to have a business model that sells adverts based-on the information provided by users to Facebook. Which is something that privacy experts are very much against, the principle of “if you don’t pay for the service, then you are the product!”

“The attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations,” Rosen emphasized.

Facebook, in its most stressed terms, has denied that their other products (Namely: Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, Payments and advertising accounts) are unaffected. “As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities,” added Rosen.

Facebook shall be under the jurisdiction of the EU, as their market covers Europe. The social media giant is set to pay a huge fine for violating the GDPR, a European Union Policy which has taken effect since May 25, 2018. At the time of this writing, it is still unknown exactly how much will be the fine that Facebook will need to pay.