Facebook has been told by the FBI not to disclose the attackers behind a huge hack that attacked tens of millions of users’ accounts
, it said.
The mysterious suggestion that one group of attackers could be behind the biggest cyber attack in the company’s history came as Facebook revealed some 30 million people were caught up in the incident, which it first revealed last month.
Facebook said that it had seen a huge spike in activity in the middle of September, which led it to launch an investigation. That investigation found a bug in its code that when exploited allowed hackers to access people’s accounts and steal personal data.
It then went on to suggest that Facebook might know who is behind the attack, and that it was carried out by a single group of attackers. Previously, Facebook had only suggested that the bug existed, and not that it was exploited – apparently by one specific and powerful group of people.
“We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” it wrote in a blog post disclosing the attack.
Facebook said the attackers had begun with access to 400,000 accounts. It could then use the bug to take over the accounts of people who were friends with its original profiles – eventually escalating that process until it took over 30 million accounts.
As well as the major hack by the unnamed group, the bug could have been used in “smaller-scale attacks” which it was continuing to investigate, it said.
It suggested that further information about the attack could be found as the investigation continues, and that it was working with officials around the world to deal with the fallout. As it did, it will try and find other ways the mysterious attackers used the website to steal data, it said.
“As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities,” the company’s blog post concluded.
The hackers accessed name, email addresses or phone numbers from these accounts, according to Facebook. For 14 million of them, hackers got even more data, such as hometown, birthdate, the last 10 places they checked into or the 15 most recent searches. One million accounts were affected, but hackers didn’t get any information from them.
Facebook isn’t giving a breakdown of where these users are, but says the breach was “fairly broad.” It plans to send messages to people whose accounts were hacked.
Facebook said third-party apps and Facebook apps like WhatsApp and Instagram were unaffected by the breach.