• Marketing Land
  • Sections
    • CMO
    • Social
    • SEM
    • SEO
    • Analytics
    • Display
    • Retail
    • MarTech
    • Resources
    • More
    • Home
  • Marketing Land
  • CMO
  • Social
  • SEM
  • SEO
  • Analytics
  • Display
  • Retail
  • MarTech
  • Resources
  • More
  • SUBSCRIBE

Marketing Land

Marketing Land
  • CMO
  • Social
  • SEM
  • SEO
  • Analytics
  • Display
  • Retail
  • MarTech
  • Resources
  • More
  • Home
  • Newsletters
  • Home
Social Media Marketing

Attackers exploited 3 bugs and Facebook’s once-vaunted social graph to steal 29 million users’ data

14 million users had names, contact details, bio information, location and search history stolen, among other details.

Ginny Marvin on October 12, 2018 at 3:12 pm
  • More

Facebook provided an update on the investigation into the massive data exploit it reported to users on September 28. While the overall number of people affected is lower than previously thought (30 million rather than 50 million), that’s about the only good news.

How it happened. The attackers were able to take advantage of a combination of three separate software bugs to get Facebook access tokens (used to allow users to stay logged into the app) and take over users’ accounts. They stole the tokens of some 30 million Facebook users.

Timing. Facebook says it discovered the attack on September 25 and started notifying users on September 28. For two weeks, September 14 to 27, the hackers were able to use the access tokens to extract data. That means it took two days to address the problem and invalidate the access tokens.

Network effect downfall. As with the Cambridge Analytica scandal, Facebook’s social graph opened up access to Facebook friends and allowed the attackers to take advantage of the network effect. Starting with their own set of friends, “(the attackers) used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people,” wrote Guy Rosen, Facebook VP of product management, in a blog post. They then accessed lists of friends from a set of that initial 400,000 to gain access to the tokens of the roughly 30 million people.

  • For those 400,000 profiles, the attackers could access their timeline posts, lists of friends, Groups they belong to and names of recent Messenger conversations. Messages sent to Pages were also exposed if their Page Admins were part of that group.
  • 15 million people had their names and contact details (phone number, email or both) accessed.
  • 14 million people had their names, contact details and “other details people had on their profiles.” That list of other details is extensive: username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
  • Another 1 million people had their tokens stolen but their information wasn’t accessed, said Facebook.

Who did it? Facebook says it is working with the FBI and has been asked “not to discuss who may be behind this attack.”

Why it matters. The consequences for people affected could last years, including compromised two-factor authentication, identity theft and ongoing hacking concerns. Facebook is already facing regulatory investigations in the EU and in the U.S. over its data handling practices. After two very, very bad years, this exploit will bring even more regulatory scrutiny and further erode users’ trust in the company. Nothing so far seems to have truly shaken advertisers away. If this triggers more user abandoment, advertisers could follow.


Opinions expressed in this article are those of the guest author and not necessarily Marketing Land. Staff authors are listed here.



About The Author

Ginny Marvin
Ginny Marvin is Third Door Media’s Editor-in-Chief, running the day to day editorial operations across all publications and overseeing paid media coverage. Ginny Marvin writes about paid digital advertising and analytics news and trends for Search Engine Land, Marketing Land and MarTech Today. With more than 15 years of marketing experience, Ginny has held both in-house and agency management positions. She can be found on Twitter as @ginnymarvin.

Related Topics

Channel: Social Media MarketingFacebookFacebook: Advertising

We're listening.

Have something to say about this article? Share it with us on Facebook, Twitter or our LinkedIn Group.

Get the daily newsletter digital marketers rely on.
See terms.

ATTEND OUR EVENTS

MarTech 2021: March 16-17

MarTech 2021: Sept. 14-15

MarTech 2020: Watch On-Demand

×

Attend MarTech - Click Here


Learn More About Our MarTech Events

April 13, 2021: SMX Create

May 18-19, 2021: SMX London

June 8-9, 2021: SMX Paris

June 15-16, 2021: SMX Advanced

June 21-22, 2021: SMX Advanced Europe

August 17, 2021: SMX Convert

November 9-10, 2021: SMX Next

December 14, 2021: SMX Code

Available On-Demand: SMX

Available On-Demand: SMX Report

×


Learn More About Our SMX Events

White Papers

  • B2B Marketing Trends Shaping 2021
  • State of Email Marketing 2021 Report
  • Three Pillars of CRM Data Management
  • What Customer Experience Means in 2021
  • The 7 Phases of a Website Redesign
See More Whitepapers

Webinars

  • Crawl Your Way Towards Better Search Results With Dynamic Rendering
  • The AI Revolution Is Coming to Every Stage of Your Buyer’s Journey
  • The Fundamentals of Link Building for E-Commerce & Affiliate Sites in 2021
See More Webinars

Research Reports

  • Local Marketing Solutions for Multi-Location Businesses
  • Enterprise Digital Asset Management Platforms
  • Identity Resolution Platforms
  • Customer Data Platforms
  • B2B Marketing Automation Platforms
  • Call Analytics Platforms
See More Research

Attend SMX For Only $99

h
Receive daily marketing news & analysis.

Channels

  • MarTech
  • CMO
  • Social
  • SEM
  • SEO
  • Mobile
  • Analytics
  • Retail
  • Display

Our Events

  • MarTech
  • SMX

Resources

  • White Papers
  • Research
  • Webinars

About

  • About Us
  • Contact
  • Privacy
  • Marketing Opportunities
  • Staff

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • Newsletters
  • RSS
  • Youtube

© 2021 Third Door Media, Inc. All rights reserved.