Facebook cyber attackers stole data from 29 million Facebook accounts using an automated program that moved from one friend to the next, Facebook Inc said on Friday, as the social media company said its largest-ever data theft hit fewer than the 50 million profiles it initially reported.
The company said it would message affected users over the coming days to tell them what type of information had been accessed in the attack.
The breach has left users more vulnerable to targeted phishing attacks and could deepen their unease about posting to a service whose privacy, moderation and security practices have been called into question by a series of scandals, cybersecurity experts and financial analysts said.
The attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users. For the other 15 million users, it was restricted to name and contact details.
Lawmakers and investors have grown more concerned that Facebook is not doing enough to safeguard data.
The company’s shares rose 0.2 percent on Friday, compared to a 2.2 percent gain in the Nasdaq composite index.
Facebook cut the number of affected users from its original estimate after investigators reviewed activity on accounts that may have been affected. Still, cyber security experts warned that the millions of users were at risk of attack.
“The bottom line is that all this data is still out there,” said Corey Milligan, a senior researcher with cyber-security firm Armor Inc.
Facebook Vice President Guy Rosen told reporters the US Federal Bureau of Investigation has asked the company to limit descriptions of the attackers due to an ongoing inquiry.
Rosen revealed that while the attackers’ intent has not been determined, they did not appear to be motivated by the US Congressional election scheduled for Nov. 6.
He declined to break down the number of users by country.
Facebook said it was trying to determine whether the attackers took actions beyond stealing data, such as posting from accounts.
Hackers stole neither personal messages nor financial data and did not use their access to accounts users’ accounts on other websites, Facebook said.
Facebook’s Rosen said the company would “do everything we can to earn users’ trust.”
The company had previously warned that profits would suffer because of breach-related expenses.
The vulnerability the hackers exploited existed from July 2017 through late last month, when Facebook noticed an unusual increase in use of its “view as” feature.
That feature allows users to check privacy settings by glimpsing what their profile looks like to others. But three errors in Facebook’s software enabled someone accessing “view as” to post and browse from the Facebook account of the other user.
The attackers used the “view as” flaw to breach the accounts of their friends, then used a tool they developed to expand to friends of friends and beyond.
Facebook patched the issue last month and asked 90 million users to log back into their accounts, many just as a precaution.
Security experts have said Facebook’s initial breach disclosure arrived earlier than it likely would have prior to the enactment in May of the European Union’s General Data Protection Regulation, which mandates notification within 72 hours of learning of a compromise.
Facebook’s lead EU data regulator, the Irish Data Protection Commissioner, last week opened an investigation into the breach. Authorities in other jurisdictions including the US states of Connecticut and New York are also looking into the attack.
Regulators around the world have launched inquiries into another matter: How profile details from 87 million Facebook users were improperly accessed by political data firm Cambridge Analytica.