Facebook Hack Hit 30 Million Users, Not 50 Million as Originally Believed

Breach left phone numbers and recent search history vulnerable

Facebook Logo
Getty Images

Facebook shared an update on its recent security breach on Friday, announcing that “about 30 million” accounts were impacted, allowing hackers to access a host of information, including users’ phone numbers and search history.

The update comes two weeks after Facebook originally said up to 50 million accounts were vulnerable. The issue, noticed by Facebook on Sep. 25, stemmed from a bug in its “view as” feature, where users can see what their profile looks like to other people.

The bug “allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts,” Facebook VP of product management Guy Rosen said in a blog post.  “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Facebook patched the vulnerability two days after noticing it, but the hole had been open in its code since July 2017.

The 30 million users that were hit fell into three separate groups. There were 15 million users who had their name and contact info — either their phone number, email, or both, for some users — grabbed by the attackers. Another 14 million had their names and contact info lifted, as well as their “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow” and their “15 most recent searches,” according to Rosen. The remaining 1 million vulnerable users did not have their information compromised by the attack.

The hackers have not been identified. Facebook said it had “informed law enforcement” of the hack when it originally reported it last month.

Facebook’s update comes one day after it announced 810 accounts had been kicked off for “inauthentic behavior,” including spamming political misinformation ahead of the 2018 U.S. midterms.