Facebook hack: 30 million user accounts were stolen by mysterious attackers, company says

Some 30 million user accounts were stolen in a huge hack of Facebook, the company has confirmed.

The breach – the worst in the company’s history – appears to have been carried out by an unnamed attacker, Facebook suggested. It said the FBI was “actively investigating” the hacker, and that it had “asked us not to discuss who may be behind this attack”.

The company had already announced that around 50 million users’ data had been exposed when hackers stole login keys that allowed them to access profiles. But it wasn’t clear how many of them had actually been used.

Now it has admitted that the attack saw personal data on 30 million people stolen.

The hackers accessed name, email addresses or phone numbers from those 29 million accounts. For 14 million of those accounts, hackers got even more data, such as hometown, birthdate, the last 10 places they checked into or 15 most recent searches. One million other accounts were affected but hackers didn’t gain information.

The social media service plans to send messages to people whose accounts were hacked.

While it seemed to suggest that one group of attackers was behind the large attack, it also said that it could not rule out ”the possibility of smaller-scale attacks, which we’re continuing to investigate”, and so the total number of people affected could be even higher.

The attack did not affect other Facebook companies like WhatsApp and Instagram, it claimed.

For the first time, Facebook detailed how the hack had actually worked. It said the attacker already had access to 400,000 user profiles, which it was then able to use to steal “access tokens” for those accounts’ friends, using a major bug in the code that powers Facebook.

By escalating that attack and taking over friends’ accounts and then friends of those friends, the mysterious attacker eventually took over tens of millions of users’ accounts, it said.