Fotolia

Facebook breach affected 20 million fewer than thought

The recent Facebook breach affected 20 million fewer accounts than was previously thought. The company now says 29 million accounts had data exposed to attackers.

As the investigation into the recently disclosed Facebook breach continues, the number of affected accounts has gone down, but questions remain.

In a new update regarding the attack, Guy Rosen, vice president of product management for Facebook, said the malicious attack affected 30 million accounts -- 20 million fewer accounts than Facebook originally thought. And he gave more detailed information on the data accessed in the Facebook breach.

Rosen said the Facebook breach began with attackers exploiting a vulnerability that "was the result of a complex interaction of three distinct software bugs" in order to get control of an unknown number of accounts. The attackers then "used an automated technique" to steal the access tokens of the friends and friends of those friends, etc., "totaling about 400,000 people."

According to Rosen, the attackers only needed "a portion of these 400,000 people's lists of friends to steal access tokens for about 30 million people."

"For 15 million people, attackers accessed two sets of information -- name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles," Rosen wrote in a blog post. "This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information."

Peter Tran, vice president of global cyber defense and security strategy at Worldpay Inc., based in London, said the attackers' ability to expand through Facebook's network was especially troubling.

"Of specific concern to me was the 'land and expand' ability the hackers had with using the 400,000 Facebook accounts in their control. That's a significant footprint for an attack surface," Tran wrote via Twitter direct message. "The data stolen is quite powerful for a cybercriminal when combined to social engineering and potential identity theft. Common users don't realize that Facebook data can provide a comprehensive profile for hackers to use over time."

Of specific concern to me was the 'land and expand' ability the hackers had with using the 400,000 Facebook accounts in their control.
Peter Tranvice president of global cyber defense and security strategy, Worldpay Inc.

Rosen added that the FBI has been brought in to help investigate the Facebook breach, although the company "asked us not to discuss who may be behind this attack."

Tran said the actions taken regarding the Facebook breach have been responsive.

"The company appears to be transparent and working closely with law enforcement authorities and regulators, which is best practice in cases this large and ongoing," Tran wrote. "The devil is in the details of this investigation, and time will tell the full extent and impact given the degree by which the hackers had control over a large number of accounts as a leverage point."

Despite the updated details regarding the Facebook breach, experts said there were still lingering questions.

Pravin Kothari, CEO of CipherCloud, based in San Jose, Calif., was specifically concerned with questions that would affect the GDPR investigation being performed by the Irish Data Protection Commission, such as how many of the 30 million affected accounts were for users in the EU and when Facebook might file a GDPR disclosure.

"Not knowing all of the detail of when the breach was discovered, who exactly was impacted, who was responsible, etc., the possible outcomes may be worse than we know today. We'll have to see what Facebook discloses about potential liability if any exists," Kothari wrote via email. "The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users. Given the horrendous publicity from the Cambridge Analytica data exposures, the EU reaction is not easily predicted."

Dig Deeper on Security operations and management