Facebook announced Friday (Oct. 12) that the breach it uncovered more than two weeks ago resulted in nearly 30 million people having various information accessed and scraped by hackers.
It’s fewer people than the platform initially announced. However, some of the information the hackers accessed is deeply personal, including phone numbers and locations a user was tagged in (more on that below). Facebook said it would notify users “in the coming days” to tell them how they’ve been hacked (it’s already started to do so). However, you can proactively check by going to this website.
You might see this, which means you were not affected:
Or this, which means you were:
Facebook said there are four groups of affected accounts:
- The hackers started with a small group of accounts that they controlled, and then stole access tokens (the tool that lets you access Facebook without logging in each time) of their friends and friends of friends and so on. That group totaled about 400,000 people, and the attackers gained access to: “posts on their timelines, their lists of friends, groups they are members of, and the names of recent Messenger conversations,” but not the message contents (unless they were a page administrator).
- Then the attackers used a portion of this group’s friend lists to steal access tokens for about 30 million people. For 15 million of them, they accessed their name and contact details—”phone number, email, or both, depending on what people had on their profiles.”
- For 14 million people, the hackers accessed that same set of information and multiple details the users had on their profiles including: “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
- For the remaining 1 million people, the hackers did not access any information.
On a call with reporters, Guy Rosen, the company’s VP of product management, was asked who was behind the attack. He answered that the FBI, which Facebook is cooperating with, asked the company not to disclose any information on potential perpetrators. Nor would he say where the affected users were based, only that the attack was “broad.”
Since the vulnerability was present since July 2017, Facebook can’t rule out that there were other, smaller-scale attacks in the interim, Rosen said. It’s also unclear, above all, how the attackers used or intend to use the stolen data.
Rosen said credit card information does not appear to have been stolen during the hack. He also said there was no evidence that third-parties that use Facebook login (websites that you log into with your Facebook account) were affected. However, if your phone number was affected by the hack, and you’ve used it for two-factor authentication on other sites, your information might potentially be vulnerable.
No other Facebook apps, including Instagram or WhatsApp, were affected by the breach.
Sign up for the Quartz Daily Brief, our free daily newsletter with the world’s most important and interesting news.
More stories from Quartz: