The Vice President, Product Management, Facebook, Guy Rosen, says the company will educate Facebook users on ways to protect their accounts.
Mr Rosen said in a statement that in the coming days, Facebook would send customised messages to the 30 million people affected by security breach to explain the how to know the information the attackers might have accessed.
“Facebook will also send customised messages on steps they can take to help protect themselves, including from suspicious emails, text messages or calls,” he said.
According to him, people can check whether they were affected by visiting Facebook’s Help Center.
“We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago.
“This is to help people understand what information the attackers may have accessed.
“We have not ruled out the possibility of smaller-scale attacks, which we are continuing to investigate.
“As we have said, the attackers exploited vulnerability in Facebook’s code that existed between July 2017 and September 2018.
“The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted ”View As”, a feature that lets people see what their own profile looks like to someone else,” he said.
Mr Rosen said that the “View As” feature allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.’’
He said the company saw an unusual spike of activity that began on Sept. 14, then started an investigation, and turned off ”View As”, as a precaution.
“We are cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack.
“We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.
“First, the attackers already controlled a set of accounts, which were connected to Facebook friends.
“They used an automated technique to move from account to account, so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people,” he said.
Mr Rosen said that the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people.
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).
“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.
“These included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access Facebook.
“They also include education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow and the 15 most recent searches.
“For one million people, the attackers did not access any information,” he said.