Could hackers have been able to see the last person you cyberstalked, or the party image you were tagged in? According to Facebook, the unlucky answer is "yes."
On Friday, the social network showed that fewer users were affected by security breaches revealed two weeks ago than originally estimated – almost 30 million, down from 50 million. In several good news, the company said hackers could not access more sensitive information such as passwords or financial information. And third-party applications were not affected.
Yet, for users who were already worried about the privacy and security of their Facebook accounts after a year of turmoil, the details that hackers gained access to ̵
Facebook has been quick to let users check exactly what was opened. But besides learning what information the attackers have access to, there is relatively little that users can do – besides, it's up to suspicious email or texts. Facebook says that the problem is solved.
The company created a website that the 2 billion global users can use to check if the accounts have been used, and if so, exactly what information was stolen. It will also provide guidance on how to spot and handle suspicious emails or texts. Facebook will also send messages directly to those affected by hacking.
On this page, after some preliminary information about the survey, the question is "Is my Facebook account affected by this vulnerability?" appears midway down. It will also provide information specific to your account if you are logged in to Facebook.
Facebook said the hackers used names, e-mail addresses or phone numbers from these accounts. For 14 million of them, hackers got even more data – basically something that was visible on your account as some of your friends could see and more. It is a fairly comprehensive list: username, gender, language or language, relationship status, religion, hometown, self-reported current city, date of birth, device types used to access Facebook, education, work, last 10 places you checked in or where checked on, your website, people or pages you follow, and the 15 most recent searches.
A further 1 million accounts were affected, but hackers received no information from them.
The company does not give a breakdown of where these users are, but says the breach was "quite wide". It plans to send messages to people who have been hacked.
Facebook said the FBI investigates, but asked the company not to discuss who might be behind the attack. The company said that it has not ruled out the possibility of minor attacks using the same vulnerability.
The company said it has fixed the errors and logged out affected users to reset the digital keys.
Facebook Vice President Guy Rosen said on a Friday call with reporters that the company has not ruled out the possibility that other parties may have launched other, less targeted attempts to exploit the same vulnerability before it was deactivated.
Patrick Moorhead, founder of Moor Insights & Strategy, said the break appeared as identity theft of companies, including Yahoo and Target in 2013.
"These personal details can easily be used for identity theft to sign up for credit cards , get a loan, get your bank password, etc., "he said. "Facebook will provide all these customers with free credit monitoring to ensure that the damage is minimized."
Thomas Rid, professor at Johns Hopkins University, also said that the evidence, especially the size of the breach, seems to point to a criminal motive rather than a sophisticated state operation, which usually addresses fewer people.
"This does not sound very targeted at all," he said. "Usually when looking at a sophisticated government, a few thousand people are hacking a lot, but they usually know who they are going to."