A Facebook data breach allowed hackers to gain access to nearly 50 million accounts.

Facebook said for the first time that the data breach reported in mid-September exposed the personal information of millions of users, including where they live, when they were born, and what their relationship status is.

The company said Friday that 30 million users were affected by the breach, less than the 50 million first reported. But nearly half of those users, or 14 million, had sensitive information accessed, including their username and recent Facebook searches.

Some 15 million had only their names and contact details, either their email or phone numbers, exposed. No data was stolen from the remaining one million accounts that the hackers accessed.

Privacy experts say that such personal details can be just as important to consumers—and valuable to criminals—as financial data.

“People share very sensitive information through their Facebook and Messenger accounts,” says Justin Brookman, director of consumer privacy and technology for Consumers Union, the policy and mobilization division of Consumer Reports. “And unlike credit card numbers, Facebook can’t just issue new numbers.”

Facebook and Privacy

In a blog post signed by Guy Rosen, Facebook's vice president of product management, the company said the company's investigation was prompted on September 14 by "an unusual spike of activity." (The September blog post that first revealed the breach said hackers had acquired access to around 50 million users, but that it wasn't yet known whether any data had been stolen.) 

The investigation is continuing. "As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the U.S. Federal Trade Commission, and other authorities," the post says.

Casey Oppenheim, founder of the data security firm Disconnect, outlined some of the dangers for CR before Facebook's most recent announcement.

"If they have access to your account, they can basically impersonate you online and have access to anything you do on Facebook,” he says. In addition to downloading personal data, that includes sending messages from your account, and potentially sending money to other people through Facebook Payments, he said.

According to the company, attackers exploited a software vulnerability that enabled them to steal Facebook access tokens. These are, essentially, digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the platform.

The vulnerability was found in the View As feature that’s designed to let people see what their profile looks like to other users.

The breach also could have compromised Facebook Login, which allows consumers to use a Facebook account to sign into third-party accounts for popular services like Netflix, ESPN, and Spotify. But in the days following the announcement of the attack, Facebook reported that it had found no evidence that this had occurred.

When the attack was first reported, Facebook closed the vulnerability, logged out users who might have been affected, and turned off the View As feature.

While details about the attack are still emerging, privacy advocates suggest that this incident is a symptom of a larger problem.

“Big data companies like Facebook and Google do a very good job of convincing people they have good security, but we’ve seen that’s not the case,” Oppenheim says. “The incredible amount of information they collect is subjected not only to unauthorized sharing, as in Cambridge Analytica, and government surveillance, but now to criminal theft.”

This data breach has come when Facebook users have already absorbed news about misuse of the platform by Cambridge Analytica, a Facebook program to share user data with device makers, and criticism of the platform for using “dark patterns” that lead consumers to reveal more personal information than they may have intended.

There’s evidence that such revelations have eroded users’ confidence in the platform. In a recent nationally representative survey of more than 2,000 U.S. adults, 7 in 10 Facebook account holders told Consumer Reports they altered the way they use the platform because of privacy concerns raised by the Cambridge Analytica scandal—for instance, by posting less or tightening their privacy settings.

What Should You Do?

"People can check whether they were affected by visiting our Help Center," the new Facebook blog post says. In the next few days, victims of the attack should receive messages explaining what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.

Facebook says it logged users out of all affected accounts when the breach was first discovered, deleting the problematic tokens. However, to be cautious, other users can log out of their accounts and log back in again.

Many people may be logged in to the platform on multiple computers and devices, however. It's not enough to just log out from the pull-down menu on your home page, which would log you out on the device you're using. Instead, go to the “Security and Login” page on your account and look under “Where You’re Logged In.”

At the lower right is the option to “Log out of all sessions.”
This message will show up:

“This will log you out of Facebook from every device you’re currently logged in on. If you didn’t log in on any of these devices, we can help you secure your account.”

If any of the devices are unfamiliar to you, alert Facebook. Otherwise, just click Log Out. You’ll now have to use your password to log back in on your laptop and other devices you use to access the platform.

The breach also affected Facebook Login, a feature that allows users to log into third-party accounts for websites like The New York Times, Pandora, and Yelp. While Facebook says there's no evidence that attackers gained access to third-party apps, this may be a good time to consider whether you want to continue using this feature.

To determine which sites you're currently accessing with a Facebook Login, go to a computer and click on the downward arrow at the top right of your Facebook page and choose Settings > Apps and Websites > Active.

If you want to stop logging in to the site with Facebook, click on the box next to the app’s logo and select Remove.

Remember that this process may functionally delete your account so create a new login and password for each app before making changes and contact the website for help on retaining your data or settings.

If you want to continue using that third-party account, you'll need to log in with a username and password the next time you're using the site. Select a strong, unique password, and to make it easier to create and keep track of your new passwords, consider using a password manager.

The next step? Monitor your account carefully, looking for any unusual activity and report anything suspicious to Facebook immediately.   

If you’ve stopped using Facebook regularly, CR’s Brookman suggests, you might want to consider deactivating or deleting your account to enhance your privacy and security. Otherwise, make sure you examine and adjust the platform’s settings to enhance your privacy.