What hackers stole from millions of Facebook users

Mark Zuckerberg, CEO of Facebook, which revealed Friday that a hacking attack compromised the personal data of millions of its users.
  • Some 30 million Facebook users were victims of the hacking attack it revealed recently.
  • That attack exposed the personal information of many users, including their names, phone numbers, birth dates, and more.
  • That kind of information could be used for identity theft and to compromise users’ financial and other accounts, security and privacy experts say.
  • The exposure of that data can also pose particular and obvious dangers to people who are trying to keep a low profile, such as victims of domestic violence.

The hackers did not gain access to account passwords or credit card information, Facebook said.


“We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago so we can help people understand what information the attackers may have accessed,” Guy Rosen, vice president of product management, wrote in a blog post Friday.

While Facebook has cautioned that the attack was not as large as it had originally anticipated — it forced 90 million users to log out so the security of their profiles would reset — the details of what was stolen worried security experts. The data can be used for all sorts of schemes by sophisticated hackers.

“Hackers have some sort of a goal,” said Oren J. Falkowitz, chief executive of the cybersecurity company Area 1 Security and a former National Security Agency official. “It’s not that their motivation is to attack Facebook, but to use Facebook as a lily pad to conduct other attacks.”

The breach could affect users’ willingness to use Facebook products. On Monday, Facebook debuted Portal, the company’s first hardware device built from the ground up, for high-definition video calls. The product asks users to install a camera in their living rooms.

Facebook first found hints of suspicious activity across its network in early September when security engineers noticed a flurry of activity around the “View As” feature, a way for users to check on what information other people can see about them. It was built to give users move control over their privacy.

More than a week later, Facebook determined that the activity was an attack on its systems, focused on three interconnected vulnerabilities in the company’s software.

Those flaws were compounded by a bug in Facebook’s video-uploading program for birthday celebrations, a software feature that was introduced in July 2017. The flaw allowed the attackers to steal so-called access tokens — digital keys that allow access to an account.

Facebook fixed the bugs and alerted users on Sept. 28 that the accounts of about 50 million users had been compromised.

Regardless of whether your account was affected, you might also want to consider deleting or deactivating your Facebook account, especially if you don’t use it often. If you plan to keep your account, you should also think about limiting what you share on it.

“People share stuff on their Facebook profiles they wouldn’t want shared with rest of world,” said Brookman. He continued: “There’s historical data that’s out there about you that could potentially be leveraged against you or used to hack your account or compromise your friends’.”