Facebook has released more information about the recent attack on the platform and claims that ‘access tokens’ were stolen from 30 million people. Initially, the company assumed that it involved 50 million people.
In a new blog post, Facebook writes that the attackers had access to their names and contact details, including phone numbers and email addresses, of 15 million people via the stolen tokens. A second category, comprising 14 million people, had access to more information. For example, the attackers could access the same data as with the first category, but also profile data. In this way, information was available such as gender, language, relationship status, religion, place of residence, education, work and the 15 most recent searches. In a last category, consisting of 1 million people, there was no access to information.
Facebook says it will notify affected individuals in the coming days. Users can also check themselves whether their data has been viewed via a help page. Facebook says its other services were not affected by the attack, such as Messenger, Instagram, WhatsApp and Oculus. The company had previously disclosed that third-party apps that use Facebook Login were also not affected.
In its current statement, the company says it identified “suspicious activity” on Sept. 14 and learned it was an attack 11 days later. The exploited leak was able to close the company within two days. In a previously published post, Facebook explained that the attackers used a combination of three bugs. The company had told the Irish privacy watchdog that up to 10 percent of affected users were EU citizens. Under the old numbers this was five million, due to the current update this number may be lower.