Two weeks after saying hackers had accessed the personal information of around 50 million Facebook users, the social network said that, actually, the victims were around 30 million people.
But the data the hackers accessed, it appears, was more sensitive than initially thought. Some of the data stolen included check-in locations and the users’ previous 15 searches on the site.
In a blog post published Friday, Facebook said that “of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.” Of those 30 million, Facebook said it identified four groups of victims hit in different stages: an initial group of 400,000 users, a second group of 15 million people, a third of 14 million, and a final of 1 million.
Facebook also expanded on how hackers were able to pull the attack off. The hackers already controlled “a set of accounts” and with an automated technique used those “to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.”
Do you have a tip or a story to share? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
For the first 400,000 people, which were the closest to the hackers’ “seed accounts,” as Facebook vice-president of product management Guy Rosen put it in a phone call with reporters, hackers accessed information such as their timeline posts, lists of friends, and groups they’re members of.
For the 15 million people, the attackers got name and contact details such as “phone number, email, or both, depending on what people had on their profiles.” It’s the group of 14 million people that the hackers got the most sensitive data from: username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For the last 1 million people, the hackers could not get any information, according to the company.
During the press call, Rosen repeatedly dodged questions to clarify whether Facebook knows anything about who the hackers were, or even if the company knows at all at this point. Rosen repeated what he wrote in the blog post, saying that the FBI is investigating the breach and has asked the company not to share any information on who may be behind it.
If you are worried whether you were one of the victims, you can check this page created by Facebook, and scroll down to the end.
The company also said it will send “customized messages” to the people affected to explain what data hackers accessed and what victims can do to protect themselves.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.