Facebook on Friday, October 15 noted that an attack on its computer systems that was announced two weeks ago had affected 30 million users, about 20 million fewer than it estimated earlier. But the personal information that was exposed was far more intimate than originally thought, adding to Facebook’s challenges as it investigates what was probably the most substantial breach of its network in the company’s 14-year history.
Detailed information was stolen from the Facebook profiles of about 14 million of the 30 million users. The data was as specific as the last 15 people or things they had searched for on Facebook and the last 10 physical locations they had “checked into.”
Other personal details were also exposed, like gender, religious affiliation, telephone number, email addresses and the types of computing devices used to reach Facebook.
Users’ names and contact information like telephone numbers were stolen from an additional 15 million profiles, Facebook said. The security tokens of about one million other people were stolen, but hackers did not get their profile information, the company said.
The hackers did not gain access to account passwords or credit card information, Facebook said.
“We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago so we can help people understand what information the attackers may have accessed,” Guy Rosen, vice president of product management, wrote in a blog post on Friday.
While Facebook has cautioned that the attack was not as large as it had originally anticipated — it forced 90 million users to log out so the security of their profiles would reset — the details of what was stolen worried security experts. The data can be used for all sorts of schemes by sophisticated hackers.
“Hackers have some sort of a goal,” said Oren J. Falkowitz, chief executive of the cybersecurity company Area 1 Security and a former National Security Agency official. “It’s not that their motivation is to attack Facebook, but to use Facebook as a lily pad to conduct other attacks.”
An attacker may use that information to conduct sophisticated “phishing attacks,” a method used to get into financial accounts, health records or other important personal databases, Mr. Falkowitz said.