Facebook gave an update on its recent security incident Friday, detailing that around 30 million accounts were affected by the hack. Out of those 30 million, hackers successfully accessed data from 29 million Facebook members. However, hackers apparently didn’t have access to any third-party app data.
The company had disclosed in late September that up to 50 million of its users had been affected, and had taken further security precautions on an additional 40 million accounts. Facebook said Friday that it was working with the FBI, which had asked the company not to disclose who may be behind the attack.
Facebook’s vice president of product management Guy Rosen used a blog post Friday morning to share further details on the data the hackers stole from those affected accounts:
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.”
The still-unidentified hackers were able to steal a bunch of additional data from the latter group of 14 million users, according to Rosen:
“This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
Hackers had no information to data from “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts,” according to Rosen. The company nonetheless built a tool for developers to check whether the users of their apps were affected by the hack, Rosen said during a press call Friday morning.
Facebook also said that hackers weren’t able to access any private messages, with one notable exception: Facebook page administrators who had received or exchanged messages in that role could have seen those messages exposed.
This attack vector apparently only affected a subset of 400,000 users, but it could still result in a significant backlash for the company. It could have affected pages from political and self-help groups as well as businesses that won’t like the idea of others accessing their messages.
The company said that it would notify account holders affected by the hack in the coming days. Facebook users are also able to check whether they were victim of the intrusion by going to Facebook’s help pages.