Facebook Downgrades Breach Number To 30 Million

Facebook’s recent data breach exposed email addresses and other data on fewer users than originally reported.

In a Friday afternoon blog post, vice president, product management Guy Rosen writes, “we now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.”

That reduction may not sway EU regulators now investigating the breach, nor stop class-action lawsuits. In an effort to be transparent, however, Rosen describes the breach as follows: 

“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).” 

He continues: “For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”

Rosen concludes: “For 1 million people, the attackers did not access any information.”

The company has not ruled out the possibility of smaller-scale attacks, according to Rosen.

He reports Facebook saw “an unusual spike of activity that began on September 14, 2018, and we started an investigation. On September 25, we determined this was actually an attack and identified the vulnerability. Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed.”

Ireland’s Data Protection Commission, reportedly Facebook’s lead privacy regulator in Europe, announced last week it will probe whether Facebook is in compliance with GDPR. The potential penalties could cost Facebook up to $1.63 billiion, according to The European Sting.

In addition, the firm has been hit with a class-action lawsuit filed by Carla Echavarria and Derrick Walker, charging that “despite numerous lapses in their approach to data security, Facebook still lacks the safeguards and protections for users’ PII, and that information remains at risk today.” 

Rosen states Facebook will send “customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages or calls.”



Next story loading loading..