In Facebook's massive breach, the hackers' friends were the first victims

Keep your friends close and your breach victims closer.

Alfred Ng Senior Reporter / CNET News

Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.

See full bio

Alfred Ng

Oct. 12, 2018 11:12 a.m. PT

2 min read

Illustrative image of the Facebook website. — Look out for your friends.
Getty Images

What's 400,000 Facebook access tokens between friends?

The world's largest social network gave an update Friday on the huge data breach it discovered late last month. And in addition to saying the breach ultimately affected about 30 million users instead of the 50 million it first reported, Facebook said the hack started among 400,000 people closest to the attackers.

Though the hackers scaled up the assault massively, the breach began with the attackers' own Facebook friends. The hackers used the "View As" vulnerability to steal access tokens from their own friends, and then repeated that process for friends of those compromised friends.

It was done automatically, Facebook's vice president of product management, Guy Rosen, said in a press call Friday, until the hackers amassed 400,000 accounts within their own network.

"They stole their friends' access tokens and then the access tokens of those friends," Rosen said.

Though they were friends on Facebook, it's unclear how close the attackers were to their first set of victims. Facebook didn't respond to a request for comment, and Rosen declined to provide specific details on the attackers because the FBI is investigating the breach.

For those initial victims, the attackers could see timeline posts, friend lists, what groups people were members of, and whom people had recently sent messages to. There was no Messenger content exposed, unless the affected person was a Page admin whose page received messages from someone, Facebook said.

With those 400,000 accounts, the hackers used the same vulnerability to steal information on millions of Facebook users.

Ultimately, they stole sensitive personal information from 14 million accounts, including birth dates, recent search history and the last 10 locations where users were tagged. Another 15 million people had information like names, phone numbers and email addresses pilfered.

Facebook first realized it was under attack after noticing a spike in activity on Sept. 25. The hackers had been active for 11 days before Facebook staff noticed something was wrong.

The automated process the hackers used to target their Facebook friends would load their profiles through the "View As" tool, which let people see how their profiles looked to others. Facebook has since disabled the tool for safety purposes.

Infowars and Silicon Valley: Everything you need to know about the tech industry's free speech debate.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.