On Friday, while still insisting on calling this data breach a "security incident", the company's VP of Product Management Guy Rosen explained that "the attackers exploited a vulnerability in Facebook's code that existed between July 2017 and September 2018", that allowed them to steal Facebook access tokens, which they could then use to take over people's accounts.
"For 15 million people, attackers accessed two sets of information - name and contact details (phone number, email, or both, depending on what people had on their profiles)", he said.
Facebook is still looking into specifics of the attack, although the post goes into a little more detail of how a common feature was used against account holders.More news: Polio-like illness affecting children across the country
Facebook plans to contact all 30 million identified accounts with exactly what happened, how it affects them and what precautionary measures can be taken moving forward. In roughly half of the cases, names, email addresses, and phone numbers were retrieved; the remaining 14 million saw more private data (including marital status, city, educational background, birth date, locations, and recent searches) accessed.
It's the type of information that people can use in phishing attempts - meaning when scammers lure you into entering passwords or other information on fake websites. For 1 million people, the attackers did not access any information.
Facebook has given an update regarding its recent data breach, reporting that although the attack wasn't as widespread as originally thought, millions of Facebook accounts were still breached.
Facebook users who want to know if they are victims of the hack can check if their data has been stolen. The attackers used an automated technique to move from one Facebook account to another by stealing access tokens of friends of those they have access and so on to a total of 400,000 users.More news: Deaths of parents in Wis. ruled a homicide, missing teen in 'danger'
Patrick Moorhead, founder of Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.
Rosen also said that the attack "did not include Messenger, WhatsApp, Instagram, Messenger Kids, Workplace, Oculus, payments, developer accounts, advertising, third-party apps or pages". "I think this is nothing but an age-old mechanism of trying to reduce the impact of the disaster, by first coming in with small tricklets of information, and slowly over a period of time, expanding the scope of the said disclosures".
"This doesn't sound very targeted at all", he said.
"We're co-operating with the Federal Bureau of Investigation, which is actively investigating and asked us not to discuss who may be behind this attack", Facebook said.More news: Chinese livestreamer held for 'insulting' national anthem