Facebook has announced that 29 million accounts have been breached by attackers exploiting a vulnerability in Facebook’s security settings. This is the largest ever data theft from the social media platform, that was initially reported as affecting 50 million.
Facebook has said that it will contact affected users over the coming days to inform them if they have been affected by the attack.
According to CRN, attackers stole personal profile details such as date of births, employer information, education history, religious beliefs, devices used, pages followed, recent searches, and location check-ins from 14 million users.
For the 15 million other users, name and contact details were exposed. In addition, the posts and lists of friends and groups of about 400,000 users were breached.
The vulnerability that was exploited was live from July 2017 until it was patched last month when Facebook noticed an unusual increase in the use of its “view as” feature.
This feature allowed users to check their privacy settings by viewing their profile as seen by others.
However, there was an error in the site’s software which enabled anyone accessing the “view as” feature to post and browse from the account of the other user.
Opportunistic attackers used this error on accounts they controlled to capture data of their Facebook friends, then used a tool they developed to breach friends of friends and beyond, said Facebook vice president Guy Rosen.
The social media giant released a blog post updating the number of affected users from its original estimate after investigators reviewed activity on potentially affected accounts.
The news comes as Facebook is at an all-time low level of trust with many governments, regulators, investors, and users worldwide believing that Facebook is not doing enough to safeguard personal data.
The EU data regulator, Japan’s Personal Information Protection Commission (JPPC), and the US Federal Bureau of Investigations have all launched investigations and inquiries into this breach and the company itself.