SAN FRANCISCO – Facebook says 20 million fewer accounts were breached than originally thought in one of the worst security incidents at the giant social network – 30 million instead of 50 million – but attackers made off with sensitive personal information from nearly half of those users that could put them at serious risk, including phone number and email address, recent searches on Facebook, location history and the types of devices people used to access the service.
Hackers got their hands on data from 29 million accounts as part of last month’s attack, Facebook disclosed Friday. Facebook originally estimated that 50 million accounts could have been affected but the company didn’t know if they had been compromised.
For about half of those whose accounts broken into – some 14 million people – the hackers looted extensive personal information such as the last 10 places that Facebook user checked into, their current city and their 15 most recent searches. For the other 15 million, hackers accessed name and contact details, according to Facebook. Attackers didn’t take any information from about 1 million people whose accounts were affected. Facebook says hackers did not gain access to financial information, such as credit-card numbers.
The company would not say what the motive of the attackers was but said it had no reason to believe the attack was related to the November midterm elections.
Facebook users can check if their data was stolen by visiting the company’s Help Center. Facebook says it will advise affected users on how they can protect themselves from suspicious emails and other attempts to exploit the stolen data. Guy Rosen, Facebook’s vice president of product management, said the company hasn’t seen any evidence of attackers exploiting the stolen data or that it had been posted on the dark web.
Affected users should be on the lookout for unwanted phone calls, text messages or emails from people they don’t know and attempts to use their email address and phone number to target spam or attempts to phish for other information. Facebook users should also be wary of messages or emails claiming to be from Facebook, the company said.
Third-party apps and Facebook apps such as Instagram and WhatsApp were not compromised, according to Facebook. Hackers were not able to access any private messages but messages received or exchanged by Facebook page administrators may have been exposed.
Security experts say the 14 million users who had extensive personal information swiped are now extremely vulnerable. Colin Bastable, CEO of Lucy Security, which focuses on cybersecurity prevention and awareness, painted an especially grim scenario.
“The truth is that, as a result of this news, millions of phishing attacks will now be launched, pretending to be from Facebook. Up to 20 percent of recipients will click and a large number of those will be successfully attacked, many of them using work computers and mobile devices,” Bastable said. “Businesses and governments will lose money, ransomware attacks will result from this leak, and the attack will reverberate over many months.”
The culprits behind the massive hack have not been publicly identified. The FBI is actively investigating the hack and asked Facebook not to disclose any information about potential perpetrators, Rosen said. When they disclosed the breach two weeks ago, Facebook officials said they didn’t know who was behind the attacks.
The latest disclosure, another in a series of security lapses that have shaken public confidence in Facebook, may intensify political heat on the company. An investigation is underway by Ireland’s Data Protection Commission, and Rosen said Facebook is also cooperating with the Federal Trade Commission and other authorities. The FTC declined to comment if it’s investigating.
Source: US Today