Facebook has revealed hackers gained access to a select number of Messenger conversations in last month’s (28 September) attack, affecting a small amount of companies who interact with consumers through the Pages product specifically.
The company noted that while the attack affected fewer users than it originally feared, around 29 million people’s account security was compromised when attackers exploited a weakness in Facebook’s ‘view as’ tool.
Hackers were able to view the profiles of around 400,000 users as if they were that person, meaning they could view posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations.
If a person in this group of 400,000 was the administrator of a Page that received a message during the period of the attack, the hackers were able to read the content of that message.
The majority of established businesses on Facebook operate from a Page.
Guy Rosen, vice president of product management at Facebook, explained in a statement: “The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people.
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
He added that for 1 million people, the attackers did not access any information.
Facebook established that no third-party apps were affected. It is encouraging users to check it they were affected via the Help Center on the platform. It currently does not have a geographical breakdown of affected users.
Facebook did apologise outright in the published statement but did so later on a call with journalists today (12 October).
It is continuing to work with the FBI, the US Federal Trade Commission, Irish Data Protection Commission and other authorities on the matter. It confirmed the FBI has asked it not to reveal who may be behind the attack.