FBI investigating Facebook security breach where attackers accessed 30 million users’ personal information

“Facebook revealed on Friday that a previously announced security breach on its platform had a wide impact for some users, and it confirmed that the hack compromised personal and contact information,” Ryan Mac reports for BuzzFeed News. “he company said the FBI is actively investigating the hack and asked Facebook not to disclose any potential culprits.”

“The attack, detected in late September, exposed some users’ emails and phone numbers, as well as profile information including gender, location, birth date, and recent search history,” Mac reports. “The attack involved the capturing of Facebook “access tokens,” or digital keys that allow websites to recognize who someone is and keep them logged in. Using accounts they already controlled, the attackers used an “automated technique” to exploit Facebook’s ‘View As’ functionality and steal access tokens for some 400,000 people. Hackers than used friend lists from a portion of those 400,000 affected accounts to obtain access tokens for another 30 million people. ”

Mac reports, “‘For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles),’ the company said in its release. ‘For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.'”

Much more in the full article here.

MacDailyNews Take: Faceplant.

As we’ve written previously, “If you trust Mark Zuckerberg to be the keeper of your photos, contacts, political views, religious beliefs, etc., you’re batshit insane.”

Instant messages sent by Mark Zuckerberg during Facebook’s early days, reported by Business Insider, May 13, 2010:

Zuckerberg: Yeah so if you ever need info about anyone at Harvard
Zuckerberg: Just ask
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend’s Name]: What? How’d you manage that one?
Zuckerberg: People just submitted it.
Zuckerberg: I don’t know why.
Zuckerberg: They “trust me”
Zuckerberg: Dumb fucks

We use FaceBook as an RSS feed. Our CMS automatically reposts our article headlines and links them back to our website. That is our only interaction with Facebook and has been our only interaction with Facebook for years. We deleted our personal accounts [which we opened only so we could understand the Facebook phenomenon] many years ago.

If you want to share photos and videos with friends, text them using Apple’s end-to-end encrypted iMessage service. You need to control your social networking, not cede it to a gatekeeper like Facebook. – MacDailyNews, March 19, 2018


Facebook discovers security breach affecting 50 million users – September 28, 2018
Facebook is giving advertisers access to users’ shadow contact information – September 27, 2018
42% of U.S. users have ‘taken a break’ from Facebook; 28% have deleted the Facebook app in the past year – September 5, 2018
Mark Zuckerberg loses $16 billion in record Facebook fall – July 26, 2018
Facebook stock plunges as users vanish – July 25, 2018
Apple highlights user privacy as Facebook exec steps down – June 14, 2018
The 18 things you may not realize Facebook knows about you: Firm reveals the extent of its spying in a 454-page document to U.S. Congress – June 12, 2018
Facebook confirms sharing users’ personal data with Chinese companies – June 6, 2018
Apple’s macOS Mojave removes integration with third-party internet accounts like Facebook – June 6, 2018
Apple borks Facebook’s pervasive personal data-harvesting operation – June 5, 2018
Apple requested ‘zero’ personal data in deals with Facebook – CEO Tim Cook – June 5, 2018
Facebook CEO blasts Apple’s latest privacy protections as ‘cute virtue signaling’ – June 5, 2018

[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]


  1. Agreed, Facebook from day one was scum. What a shame Apple ever legitimized them with iOS integration. Somehow the geniuses at Apple were taken in by the Facebook fad too.

    It’s not clear to me that Apple has done the due diligence required to ensure 3rd party apps don’t datamine you.

    Finally let’s not forget Apple has chosen to chase google with big brother cloud rental. How big a target is Apple? It’s only a matter of time before iCloud is hacked. Keeping your data on somebody else’s computer is never a good idea.

    1. Hey, for once I totally agree with you.

      Seem to recall, unless I’m wrong, a famous actress nude photos were hacked in iCloud and released on the internet. An isolated incident, but I don’t use or trust Apple’s iCloud anymore than I trust Facebook or Google. I don’t think people realize what they are exposing themselves to and everything is saved.

      You want total bulletproof privacy, simple. Store everything private on your personal server, Mac Minis are great, and backup disks and never connect them to the internet, DONE.

      I have a spare computer specifically dedicated to connect to the internet for consumption. Black electrical tape over the camera and a few e-mail addresses.

      Come hack me baby, you got nothing personal land wasting your illegal time…

      1. While you are correct (see, I’m giving you credit!) that the only way to have complete security is to air gap all your devices, that isn’t practical for most of us. We need to use Safari and Mail, for example. An iPhone or iPad that is always in airplane mode is not very useful.

        Apple does an excellent job of protecting us. If you are worried about facing Jennifer Lawrence’s fate (since your nude photos would be a popular as hers, no doubt), just don’t give anybody your iCloud password… which she did as a result of a phishing expedition. The Australian teenager got into Apple’s internal network (which has to be fairly exposed to allow remote access by thousands of employees), but he could not access any customer data.

        1. “just don’t give anybody your iCloud password”

          Which apparently some non-technical folks think is “hacking”.

          “Hey, give me your password”
          Minutes later..
          “I’VE BEEN HACKED!!”

    2. Forgot to mention. When a 16-year old kid from Australia can hack Apple repeatedly, it speaks volumes about security. While they claim to be the best, important to remember, they are not INFALLIBLE…

      1. No one is infallible, that is true. But even if your security is the best there is, what’s called social engineering can overcome locktight security. Bruce Schneier says, the best cryptography cannot protect you from people in the system who are sloppy, lazy, or inattentive, which applies to every human. Kevin Mitnick says people in the system are (unfortunately) naturally helpful and open to any reasonable-sounding pretext. And then there are the precocious hackers who enjoy spending all their time as script kiddies, for the sheer joy of finding chinks in the marble edifices of an uncaring bureaucratic world, or the starz kids who compete for points outing celebrities in an underground pecking order. Some of them, in places like Romania, sell out to governments and become “state actors” so they can feed their families. We can preach ethics all we want but the hackers are young, poor, disaffected, and unemployed. All that being said, I admire their individualism, ingenuity, enterprise, and indifference to social norms.

  2. Add these to your hosts file located at /private/etc/hosts facebook.com facebook.net http://www.facebook.com connect.facebook.net graph.facebook.com facebookinc.122.2o7.net ads.ak.facebook.com creative.ak.facebook.com creative.ak.fbcdn.net

    Probably a couple dozen more there, but it’s a start.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.