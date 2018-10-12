Log in
Facebook : Says Fewer Users Impacted by Recent Cyberattack than First Thought--2nd Update

10/12/2018 | 08:54pm CEST

By Kirsten Grind

Facebook Inc. said that fewer users than it initially thought were impacted by hackers in the largest-ever security breach at the social-media giant two weeks ago, reducing its estimate from 50 million users affected to 30 million.

In a blog post Friday, Facebook said the 30 million had their access tokens -- digital keys that keep people logged into social-media site -- stolen when hackers "exploited a vulnerability" in the company's computer code between July 2017 and September 2018. Facebook discovered the attack Sept. 25.

"We now know that fewer people were impacted than we originally thought, " Guy Rosen, vice president of product management, said in the blog post.

In a call with reporters Friday, Mr. Rosen declined to say who might have been behind the attack, noting that the company is working with the Federal Bureau of Investigation and that the agency has asked Facebook not to discuss the identity of the perpetrators.

Facebook also declined to give a geographic breakdown of users who were affected.

It is also unclear how the stolen data may have been used. Mr. Rosen said he hasn't seen any evidence of the data on the "dark web" -- a network of websites used by hackers and others to share information -- where stolen information often changes hands.

Facebook's security breach comes as the social network is still trying to win back the trust of its 2 billion users after a series of missteps in the last year. Earlier this year, the company said the data of millions of users was improperly shared with Cambridge Analytica, an analytics firm with ties to President Donald Trump's 2016 campaign.

Of the 30 million users who were affected, Facebook said 15 million had their names and contact details -- including phone numbers and email addresses -- accessed. Fourteen million users were the most affected. In addition to name and contact information, those users also had details such as their gender or relationship status revealed, as well as the last 10 places they checked into or 15 most recent searches. The attackers didn't access any information of the 1 million remaining users who were vulnerable in the security breach.

In some cases, it is possible users may have had their private messages accessed if they were acting as an administrator on any of the pages that were targeted, Mr. Rosen said. He said the breach didn't affect Facebook's Instagram, WhatsApp or Facebook Messenger units.

In addition, Facebook gave more detail on how hackers were able to carry out the attack. It said the attackers started with a smaller set of accounts that they controlled and were connected to Facebook friends. Then they moved from account to account, stealing the access tokens of those people's friends.

Facebook said it would be notifying the 30 million users whose accounts were affected, including those who may have since shut down their Facebook accounts.

Mr. Rosen said Facebook is "working around the clock" on the security breach and "we have not ruled out the possibility of smaller, lower level access attempts during the time of the exposure."

Write to Kirsten Grind at kirsten.grind@wsj.com

