Facebook shared Friday how hackers exploited a vulnerability in their system and obtained access tokens to harvest millions of phone numbers and email addresses.
Facebook uses access tokens so its users can log into their accounts without retyping their passwords every time.
The company said the hackers pried on the private info of 14 million affected users. This includes their names, contact information, relationship status, gender, and check-ins.
Another 15 million users had their names and contact info breached. And another one million users only had their access tokens stolen.
Facebook reset the access tokens for all affected users.
The company said the FBI is on top of the investigation. They advised Facebook to keep mum on the suspects and specific details.
Facebook VP product management Guy Rosen said the company is still looking for potential vulnerabilities that the hackers may have used on the attacks.
“…we haven’t ruled out the possibility of smaller scale, low-level access attempts,” he said.
Facebook also notified the U.S. FTC and the Irish Data Protection Commission.
The company said the attack started September 14. But they only found out on September 25.
In two days, the company’s security team fixed the vulnerabilities, blocked the attack and reset access tokens for affected users.
Rosen said impacted users will receive a note in the coming days notifying them of the Facebook breach.
Facebook shares dropped to a day low of $151.30 per share after the announcement.
The company has been swamped with issues this year. On Thursday, it decided to remove 559 Pages and 251 accounts for breaking spam policies.
How to know if you were affected
The company published a website where you can check if your account fell to the Facebook breach. It also shares the extent or what information hackers may have accessed.
Make sure you log into Facebook before heading to this security notice page.
If your account is safe, Facebook displays this message:
Based on what we’ve learned so far, your Facebook account has not been impacted by this security incident. If we find more Facebook accounts were impacted, we will reset their access tokens and notify those accounts.
If your account was compromised, Facebook will share what private information the hackers gained.
While we don’t know if the attackers will use any of the information they accessed, it appears the information may allow them or other third parties to use it to create and spread spam on and off Facebook. We’re actively working with law enforcement as we continue to investigate.
If you are ready to leave after the Facebook breach, you can also delete all your information on the platform here.