Facebook Hack Included Search History and Location Data of Millions

SAN FRANCISCO — Facebook said Friday that an attack on its computer systems that was announced two weeks ago had affected 30 million users, about 20 million fewer than it estimated earlier.

But the personal information that was exposed was far more intimate than originally thought, adding to Facebook’s challenges as it investigates what was probably the most substantial breach of its network in the company’s 14-year history.

Detailed information was stolen from the Facebook profiles of about 14 million of the 30 million users. The data was as specific as the last 15 people or things they had searched for on Facebook and the last 10 physical locations they had “checked into.”

Other personal details were also exposed, like gender, religious affiliation, telephone number, email addresses and the types of computing devices used to reach Facebook.

Users’ names and contact information like telephone numbers were stolen from an additional 15 million profiles, Facebook said. The security tokens of about 1 million other people were stolen, but hackers did not get their profile information, the company said.

The hackers did not gain access to account passwords or credit card information, Facebook said.

“We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago so we can help people understand what information the attackers may have accessed,” Guy Rosen, vice president of product management, wrote in a blog post Friday.

While Facebook has cautioned that the attack was not as large as it had originally anticipated — it forced 90 million users to log out so the security of their profiles would reset — the details of what was stolen worried security experts. The data can be used for all sorts of schemes by sophisticated hackers.

“Hackers have some sort of a goal,” said Oren J. Falkowitz, chief executive of the cybersecurity company Area 1 Security and a former National Security Agency official. “It’s not that their motivation is to attack Facebook, but to use Facebook as a lily pad to conduct other attacks.”

An attacker may use that information to conduct sophisticated “phishing attacks,” a method used to get into financial accounts, health records or other important personal databases, Falkowitz said.

“Once you’ve become a target, it never ends,” he said.

The breach was disclosed at the worst possible time for Facebook, which is grappling with a series of crises that have shaken user trust in the world’s largest social network.

Over the last year, Facebook has faced repeated criticism that it hasn’t been doing enough to protect the personal information of its more than 2 billion regular users.

In March, Facebook was hit by revelations that Cambridge Analytica, a British consulting firm that had worked for the Trump campaign, had gained access to the private information of up to 87 million users.

The company is also dealing with concerns that disinformation on its platforms has affected elections and has even led to deaths in several countries. On Thursday, Facebook disclosed that it had removed hundreds of accounts and pages used to spread disinformation in the United States. While Russian agents had used Facebook and other social media to incite conflict before the 2016 election, domestic sources of false or misleading posts have jumped into the fray, the company said.

Disinformation has had dire results outside the United States. In Sri Lanka, Myanmar and other countries, hundreds of people have been killed, partly because of the rampant spread of misinformation across social networks and other internet sites.

Former employees have also taken to criticizing Facebook. Brian Acton, a co-founder of the Facebook-owned smartphone application WhatsApp, has called for people to delete their Facebook accounts.

The breach could affect users’ willingness to use Facebook products. On Monday, Facebook debuted Portal, the company’s first hardware device built from the ground up, for high-definition video calls. The product asks users to install a camera in their living rooms.

Facebook first found hints of suspicious activity across its network in early September when security engineers noticed a flurry of activity around the “View As” feature, a way for users to check on what information other people can see about them. It was built to give users move control over their privacy.

More than a week later, Facebook determined that the activity was an attack on its systems, focused on three interconnected vulnerabilities in the company’s software.

Those flaws were compounded by a bug in Facebook’s video-uploading program for birthday celebrations, a software feature that was introduced in July 2017. The flaw allowed the attackers to steal so-called access tokens — digital keys that allow access to an account.

Facebook fixed the bugs and alerted users on Sept. 28 that the accounts of about 50 million users had been compromised.

In the days since, Facebook has scrambled to figure out how things went wrong, who could be responsible for the attack and what the attackers planned to do with the information.

In a conference call with reporters on Friday, Rosen declined to answer who might be responsible for the attack or how the information could be used.

Facebook engineers are working closely with the FBI on the hack. FBI officials have asked Facebook not to share details on the suspected identities of the attackers for fear of compromising the investigation.