The good news is that the hackers who hit Facebook last month only stole the keys to 30 million user accounts, not the 50 million originally thought, the company’s security chief said Friday.
The bad news? The attackers subjected 14 million of those accounts to a deep harvesting of profile data, reaping information like the users’ stated religion, birthdate, employer, relationship status, and a record of the last 15 searches the victim conducted through the social-networking site.
The attackers’ intentions are unclear, but appear unrelated to the U.S. midterms, Facebook Vice President Guy Rosen said in a Friday press call. “We are still looking at other ways the people behind this attack may have used Facebook, and we haven’t ruled out the possibility of smaller-scale, low-level use of this vulnerability prior to September,” said Rosen. “We continue to investigate that.”
Facebook was alerted to the breach last month by a spike in network traffic. A subsequent investigation found the hackers were exploiting a previously unknown security hole in Facebook’s massive code base to steal user “access tokens,” which allow logged-in users to revisit the site without entering their password each time. The hole had been around since July of last year.
The incident added to ongoing Facebook controversies, including a year of revelations about the site’s role in spreading fake news, its use by Russian intelligence agents and trolls in the Kremlin’s 2016 election-interference campaign, and the acquisition of private profile data for up to 87 million users by the shady campaign consulting firm Cambridge Analytica.
On Friday, Facebook revealed more about how the incident unfolded, revealing that the hackers apparently used their own Facebook accounts to launch the attack—which suggests the case isn’t a whodunnit.
The security hole only allowed an attacker to breach accounts on their friends lists. So the hackers wrote a script that first hacked their own Facebook friends, and then repeated the process from each of those hacked friends’ accounts, spidering out until they’d amassed 400,000 accounts to use as a launchpad.
After that, the attack entered a more discriminating phase. The hackers took the friends lists of those 400,000 people and compiled them into a massive hit list of at least tens of millions of potential targets. They culled the list down to 30 million—by what criteria, Facebook isn’t saying—and stole access credentials for only those accounts.
The hackers used the credentials to harvest names and contact information for 29 million of the victim—the remaining one million were spared, possibly due to Facebook’s intervention last month.
On about half of those accounts, the hackers didn’t stop at email addresses and phone numbers. The attackers also pulled down gender, language settings, relationship status, religion, hometown, current city, birthdate, education, employer, the types of devices they’ve used to access Facebook, the geographic locations they’ve checked-in to or been tagged at, and the last 15 queries they’d sent through Facebook’s search box.
Facebook won’t say what’s special about those 14 million accounts, citing an ongoing FBI investigation. For the same reason, Rosen declined to discuss the geographic distribution of the attack, except to say that it was “broad.”
But the whole thing began from a handful of “seed” accounts “that were associated with the attackers themselves,” said Rosen. “Then they went to their friends and friends-of-friends.”
Facebook plans to notify the users whose information was stolen. The company revoked the access tokens last month, and said the hackers did not use the stolen tokens on third-party apps and websites that use Facebook’s authentication platform—addressing one early concern about the incident. Private messages were generally not at risk, he said, and credit card numbers and passwords were also not exposed.
“People’s accounts have already been secured by the action we took two weeks ago,” said Rosen.