Facebook does not believe that hackers obtained any information from the other one million people compromised by the attack, which started on September 14 and which Facebook said it was able to stop on September 27. The hackers could use these tokens to take over people's accounts.
Facebook now admits hackers in the security breach revealed two weeks ago stole a lot of sensitive information from millions of users. For 14 million of those accounts, hackers got even more data, such as hometown, birthdate, the last 10 places they checked into or 15 most recent searches. It also did not impact users on other Facebook properties such as Messenger, Instagram, WhatsApp, or Oculus.
The attackers wrote a computer code that crawled the compromised pages and copied information, which is known as "scraping".
While Facebook has cautioned that the attack was not as large as it had originally anticipated - it forced 90 million users to log out so the security of their profiles would reset - the details of what was stolen anxious security experts.
The hack impacted 50 million accounts on the service.
The breach could affect users' willingness to use Facebook products. The feature lets the user see how their profile looks to other people on Facebook.
In September, the social media company said hackers exploited the "View As" feature on the website. Besides warning them of their data being leaked, Facebook will inform affected users about the exact information sets the malevolent third parties accessed, in addition to providing them with suggestions on how they can do a better job at protecting their online privacy. The attackers didn't take any information from about 1 million people whose accounts were vulnerable. About 400,000 people served as the hackers' entry point to the 30 million others on Facebook.
Facebook Vice President Guy Rosen said in a Friday call with reporters that the company hasn't ruled out the possibility that other parties might have launched other, smaller scale efforts to exploit the same vulnerability before it was disabled. Facebook says it has since fixed the flaw but it had to also reset the access tokens of around 90 million users post the breach. Instead, Facebook is doing all it can to sweep this under the rug, once again only notifying affected users (full disclosure: I was one of them) with an innocuous link at the top of their News Feed. Nevertheless, Facebook is working with different agencies including the Federal Bureau of Investigation to help nail down the perpetrators of the attack. It wasn't patched until last month, after the company's engineers noticed some unusual activity that turned out to be the attack.
"The attackers started with a set of accounts they controlled directly, then moved to their friends, and their friend's friends, and so on - each time taking advantage of the vulnerability", he added. The commission, which is the European Union's lead regulator for privacy matters, said in early October it would investigate the data breach to determine if Facebook violated the EU's General Data Protection Regulation, or GDPR, privacy laws.