For about 14 million people the hackers accessed information such as the last 10 places that person checked into, their current city and their 15 most-recent searches, the company said Friday in a blog post. Three software bugs in Facebook's code connected to this feature allowed attackers to steal Facebook access tokens they could then use to take over people's accounts.
Facebook says the hackers accessed the names, phone numbers, and email addresses of 15 million users.
The new details come two weeks after Facebook first announced that attackers had access to 50 million users' accounts - meaning they could have logged in as those users. With an access token, an attacker could take over your account and use it as if they were you.
Last month, the California-based social media giant had reported that 50 Mn Facebook users' accounts were affected.
Facebook said it will send customized messages in the coming days to affected users to explain what information the attackers accessed and how they can protect themselves, including from suspicious emails, text messages or calls.
He said the FBI has asked the company " not to discuss who may be behind this attack" or to share other details that could compromise its investigation.
Facebook said it is working with the FBI to investigate the biggest hack in its history. "The stolen data is likely to be used by the hackers, so this problem is likely to persist for quite some time".
AFM: "Polio-like" Illness has Affected 6 Minnesota Children
AFM is thought to happen after someone contracts a virus, like poliovirus , West Nile virus , or adenovirus , the CDC says. Between August 2014 and August 2018, the CDC received information on a total of 362 confirmed cases of AFM nationwide.
At that point, Facebook had started investigating the issue, so it wasn't exactly sure which users had actually been impacted.
The attackers used the "view as" flaw to breach the accounts of their friends, then used a tool they developed to expand to friends of friends and beyond.
Once they had the tokens for the seed accounts, Rosen said the attackers used the tokens to access the 400,000 accounts and deployed scripts to harvest even more tokens at a larger and automated scale. The attack began on September 14, but Facebook only realized it was a threat by September 25.
Facebook has said it will not provide identity fraud protection for the victims of its latest data breach.
The firm confirmed that it was only Facebook that was attacked and that their other services including "Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts" were not affected.
Facebook has also established a Web page that will inform users who are logged in whether their accounts were affected.
Last Friday Facebook said that it had temporarily reset access tokens of nearly 50 million accounts and as a precaution, was resetting access tokens for another 40 million accounts. The company said the actual content of the messages was not revealed unless "a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers". There are a series of different variations depending on how much data was taken from your account when it is accessed.