We may earn revenue from the products available on this page and participate in affiliate programs. Learn more ›
A few weeks ago, Facebook suffered one of its biggest user data debacles ever. The original report claimed up to 50 million or more accounts were at risk thanks to a vulnerability with the “view as” feature, which allowed users to see pages as a visitor would. This feature gave malicious actors a chance to grab an account’s “access token,” which Facebook uses to keep people logged into the service. If you have someone’s access token, you can get into their account without a password or username.
You can read the official announcement here or check out this Last Week in Tech podcast episode, in which we discuss the issue.
Click here to find out if you were one of the affected users.
What got out?
Last we heard, Facebook was conducting an investigation into the matter. Now we have some hard info about who was affected and what information got out there.
According to Facebook’s announcement, the vulnerability existed for more than a year, between July 2017 and September 2018. The company reportedly spotted the problem when looking into a traffic spike on September 14, 2018. They began an investigation. Then the FBI got involved.
While 50 million accounts were at risk, it turns out that roughly 30 million access tokens were stolen. Here’s a breakdown:
15 million people had their phone numbers and or email addresses exposed, depending on the setup of their account.
14 million people had a more serious breach, which exposed their “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow.”
1 million people were lucky and didn’t give up any information in the hack.
What to do if you’re hacked
Your password is likely still safe, since that wasn’t part of the available information, but if you’re using two-factor authentication, you should add a pin to your mobile account and stop relying on a text-based two-factor authentication when logging into Facebook.
It’s unlikely, but not impossible that the data from the breach could allow someone to take over your mobile phone number and use it as a gateway to the rest of your secure accounts.
That group of 14 million people is obviously the most seriously affected. Hackers can even see their last 10 Facebook searches, which seems like particularly sensitive information that most users wouldn’t want exposed.
If you want to find out if you were hacked, you can click on this page and scroll down to the bottom. Facebook is also rolling out notifications to users who were affected to inform them of what information got out.