A group of hackers used a flaw in Facebook’s “view as” feature to gain unauthorized access to over 30 million accounts — and today, the company released its most comprehensive statement yet on exactly what data was taken as part of the breach. According to the latest statement, the hackers stole access tokens for over 30 million accounts (initial estimation was 50 million), allowing them to gain complete access to the profiles. Of those 30 million, the hackers accessed basic contact information like name, email or phone number for 14 million accounts, and additional information including gender, religion, location, device information, and the 15 most recent searches for another 15 million accounts. No information was accessed for the remaining one million accounts.
“We take these incidents really, really seriously,” said Guy Rosen, Facebook’s vice president of product management, told reporters in a call afterwards.
Facebook has pledged to notify all 30 million users through the Help Center in the coming days. Crucially, Facebook said no data was taken from third-party apps linked to the accounts, including Facebook products like Instagram, Messenger and WhatsApp. At the same time, there may have been smaller but more invasive attacks during the same period that have yet to be uncovered by Facebook’s investigation. There’s also no indication that the hackers posted any content while logged in.