Facebook says ‘only’ 30 million people affected in latest data breach

Facebook says ‘only’ 30 million people had their names, emails and phone numbers stolen in network’s biggest ever data breach – here’s how to check if you were one of them

  • Facebook said about 30 million users’ accounts were accessed by attackers
  • That’s revised lower from the firm’s initial estimate of 50 million users last month
  • In September, Facebook said attackers took advantage of its ‘View As’ feature 
  • e-mail



In late September, Facebook announced it had been hit by its worst-ever data breach, with hackers gaining access to tens of millions of users’ accounts by taking advantage of the site’s ‘View As’ feature.   

Now, it appears the attack may have affected ‘only’ 30 million users, revised down from its earlier estimate of 50 million.

Facebook believes that about 15 million of those users’ names, phone numbers, email addresses and other sensitive information was visible to the attackers.

About 14 million of that 30 million had an even wider scope of their personal data exposed to hackers, ranging from usernames, date of birth, the types of devices they used to login to Facebook and the last 10 places they checked into or were tagged in, as well as a myriad of other information. 

Scroll down for video 

Facebook’s latest data breach may have affected only 30 million users, which is revised down from its earlier estimate of 50 million. CEO Mark Zuckerberg’s firm discovered it last month


Approximately 14 million users may have had everything from their birth date to recent searches stolen, along with: 

  • Name
  • Email address 
  • Phone number 
  • Gender
  • Types of devices used to access Facebook
  • Language
  • Relationship status 
  • Religion 
  • Hometown   
  • Current City 
  • Work
  • Education 
  • Website
  • 10 most recent locations checked into or tagged in 
  • 15 most recent searches entered in Facebook search bar
  • People or Pages followed on Facebook

A remaining 1 million users didn’t have any personal information accessed as a result of the attack.  

Facebook has determined no credit card numbers were exposed as  a result of the attack.  

The identity of the hackers continues to remain unclear. 

Facebook says the FBI is investigating a major security breach of its service, but the company says authorities asked it not to discuss who may be behind the attack.

That suggests Facebook may know or suspect who’s behind the breach.  

In a call with reporters, Facebook gave scant details about the hack beyond who was affected, citing the fact that it remains an open investigation by the FBI and others. 

Guy Rosen, Facebook’s vice president of product management, apologized for the hack, saying: ‘People’s privacy and security are important to us, and we are sorry this happened.’

When Facebook disclosed the breach two weeks ago, company officials said they didn’t know who was behind the attacks or where they might be based.

Since then, it has been ‘working around the clock’ to get to the bottom of the breach. 

‘We now know that fewer people were impacted than we originally thought,’ Rosen said in a statement.

‘Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.’ 

  • So far so good! Major overhaul of the keys that keep the… Artificial oyster reefs being introduced in Scotland will… ‘World’s fastest camera’ that can capture images at 10… Microsoft under fire after ‘horrifying’ racist and…

Share this article

Users will receive a personalized message on their Facebook News Feed giving them an update on how their account was impacted by the breach, which hit 30 million users 

Access tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password.

In the call with reporters, Rosen was asked whether the information obtained by hackers was used on the Dark Web, or for any other purposes.

‘We haven’t seen any evidence of this being used yet,’ Rosen explained.  

Shedding new light on the hack, he said the attackers used an ‘automated technique’ to move from account to account stealing tokens of friends-of-friends, ‘totalling about 400,000 people’.

This pool of 400,000 users allowed them to steal access tokens from the full 30 million, he continued. 


Facebook said it believes 30 million users were affected a result of the data breach it was hit with in late September. 

That’s a marked decrease from its initial estimate of 50 million users. 

Along with that update, it said 15 million users out of the 30 million had their names and contact information accessed by hackers. Approximately 14 million had that information stolen, in addition a myriad of other data, including username, birthdate, gender, and 15 of their most recent searches.  

The social media giant has launched a dedicated webpage to check if you’ve been hit by the hack. 

Here’s how you can tell if you’ve been hacked: 

  • Visit the Facebook Help center link after logging into your Facebook account. 
  • Scroll down to the section with the header: ‘Is my Facebook account impacted by this security issue?’
  • Users will be given a ‘Yes’ or ‘No’ answer. For users that weren’t affected, they don’t need to take any immediate steps. 
  • For users who were affected, Facebook will give users a list of data they believe was accessed by hackers. 
  • Affected users will be able to discern whether they were part of the 15 million users whose name and contact information was accessed, or the 14 million that had broader information accessed.  
  • They may also be part of the 1 million users whose access token was stolen, but no personal information was accessed. 
  • Users should receive a ‘customized message’ in the next few days telling them further preventative measures they can take to protect their account. 


He wrote: ‘For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).

‘For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.

‘This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

‘For 1 million people, the attackers did not access any information.’

Messages between accounts were not compromised by the hackers, Rosen said on Friday, except if the person was a page admin whose page had received a message 

When users access Facebook’s Help page, they should scroll down to the heading that says ‘Is my Facebook account impacted by this security issue?’ There, it will say ‘Yes’ or ‘No’

Mr Rosen said a combination of three bugs in the ‘View As’ feature, which lets users see what their profile looks like from the perspective of other accounts, made access tokens freely available to copy from the source code of the web page.

It was this vulnerability which allowed ‘an external actor’ to obtain access tokens, giving them the ability to log into, and take over, users’ Facebook accounts and any of their other services, such as Spotify, Instagram or Tinder, which accept Facebook access tokens.

Facebook has since shut down the ‘View As’ feature as a result of the breach. 

Messages between accounts were not compromised by the hackers, Rosen said on Friday, except if the person was a page admin whose page had received a message.

Users who weren’t as lucky will see a breakdown on the information believed to have been accessed by hackers as a result of the breach, which took advantage of the ‘View As’ tool

Approximately 15 million users’ contact info and names were accessed, while 14 million users’ date of birth, gender, types of devices used to log into Facebook and more was accessed

Facebook staff first noticed an ‘unusual spike of activity’ that began on September 14.

The attack did not affect Facebook Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, payments, third-party apps, or advertising and developer accounts. 

‘As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities,’ Rosen said.


The best way to protect yourself is to set up two-step authentication.

Two-factor authentication adds an extra layer of security to apps and websites by asking for both a password and a unique code when logging in.

Once verified, if anyone tries to log into their account they will be sent an autentication code via text message.

Even if a hacker has obtained the user’s email address and password, they won’t be able to access the account without this extra code.

While the extra layer of security isn’t completely hacker proof, it’s far more robust.

Also if users have different passwords for each account it means hackers will not be able to access all accounts in one go.

On September 25, the trend was identified as an attack, prompting programmers to close the vulnerability, which happened within two days, the tech chief said.

‘We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,’ his blog continued.

Facebook users can check if they are affected by visiting the website’s help centre.


Facebook in late September disclosed that it had been hit by its worst ever data breach, affecting 50 million users – including those of Facebook boss Mark Zuckerberg and COO Sheryl Sandberg.

Attackers exploited the site’s ‘View As’ feature, which lets people see what their profiles look like to other users.  

The unknown attackers took advantage of a feature in the code called ‘Access Tokens,’ to take over people’s accounts, potentially giving hackers access to private messages, photos and posts – although Facebook said there was no evidence that had been done.

The hackers also tried to harvest people’s private information, including name, sex and hometown, from Facebook’s systems. 

Facebook said it doesn’t yet know if information from the affected accounts has been misused or accessed, and is working with the FBI to conduct further investigations.

However, Mark Zuckerberg assured users that passwords and credit card information was not accessed.

Facebook says it has found no evidence ‘so far’ that hackers broke into third-party apps after a data breach exposed 50 million users (stock image)  

As a result of the breach, the firm logged roughly 90 million people out of their accounts earlier today as a security measure.  

Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy. 

The disclosure has prompted government inquiries into the company’s privacy practices across the world, and fueled a ‘#deleteFacebook’ movement among consumers. 

Communications firm Cambridge Analytica had offices in London, New York, Washington, as well as Brazil and Malaysia.

The company boasts it can ‘find your voters and move them to action’ through data-driven campaigns and a team that includes data scientists and behavioural psychologists.

‘Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections,’ with data on more than 230 million American voters, Cambridge Analytica claims on its website.

The company profited from a feature that meant apps could ask for permission to access your own data as well as the data of all your Facebook friends.

The data firm suspended its chief executive, Alexander Nix (pictured), after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump

This meant the company was able to mine the information of 87 million Facebook users even though just 270,000 people gave them permission to do so.

This was designed to help them create software that can predict and influence voters’ choices at the ballot box.

The data firm suspended its chief executive, Alexander Nix, after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump.

This information is said to have been used to help the Brexit campaign in the UK.

It has also suffered several previous issues.

2013, Facebook disclosed a software flaw that exposed 6 million users’ phone numbers and email addresses to unauthorized viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.  

Source: Read Full Article