Facebook originally estimated that up to 50 million people were affected by an attack on the site announced on September 28 and shrank that number down to 30 million a few weeks later. This week, a report from The Wall Street Journal (WSJ) claimed that Facebook has internally blamed the attack on spammers.
Facebook discovered the attack on September 25 and publicly revealed it on September 28. The company released an update on October 12 with its revised estimate for the number of people affected by the attack, but it has yet to share any information about the attackers with the public. The FBI, which is assisting with the investigation into the attack, is said to have asked Facebook not to discuss the attackers’ identities.
Quoth the Journal: “Internal researchers now believe that the people behind the attack are a group of Facebook and Instagram spammers that present themselves as a digital marketing company, and whose activities were previously known to Facebook’s security team, said the people familiar with the investigation.” Facebook has repeatedly declined to confirm or deny WSJ’s report or discuss the attackers’ identities.
This attribution is supported by the attackers’ decision to compromise a limited amount of information that was available to them. Facebook said the attack relied on a vulnerability in the “View As” feature that lets people view their profiles from other perspectives. Once that vulnerability was exploited, the attackers could steal the access tokens used to let people use their accounts without having to log in every time to do so. The social media platform’s vulnerability existed between July 2017 and September 2018.
The attackers could have wreaked havoc with those access tokens, but according to Facebook’s update on the attack, they were mostly concerned with stealing contact information (of which Facebook has even morethan most people expect). This data would prove particularly valuable to spammers who make their living by contacting as many people as possible.
In any case, this is the biggest attack in Facebook’s history, and this almost certainly won’t be the last we hear of it.