Above: A building in Saint Petersburg allegedly containing the office-space given over to a Russian state-sponsored troll factory. Credit: Dmitry Lovetsky/AP/US govt.
Facebook said on Friday that an attack on the company's computer systems [in September] affected 30 million users, about 20 million fewer than it estimated earlier. [However] the personal information that was exposed was far more intimate than what was originally thought.--New York Times, 12 October 2018.
The attackers used a portion of 400,000 people's lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information--name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches--Facebook Newsroom, 12 October 2018.
Someone, some people, have now got substantial personal data pertaining to fourteen-million individual FB users. The original hackers might well have sold on the data already. What is such info useful for? The data could be used to set up spoof FB accounts and/or spoof email accounts. Using such data it would be possible to begin to impersonate any one of those hacked individuals for malicious reasons such as fraudulent representations. "I" might soon be requesting my back-office to wire-transfer a certain sum of money to a certain bank account somewhere. (The email request would appear to come from my usual email address--nothing suspicious about it at all.) "I" might soon be going on an illegal Lolita-porn website from an IP address in, say, Taiwan. I can say it's all faked. Maybe, but then again the account-data is all accurate and current. So, it's not fake ... it's just ... heisted. It's me, but not really. Nothing to do with me. Or, someone working at a troll factory in, say, Omsk, perhaps this very evening, might begin impersonating me online (utilizing social-media accounts opened using my personal details) with the purpose of disseminating disinformation intended to destabilize and undermine the institutions of Western Democracy, and the rule of law. But who cares about things like that? It's not much of a big deal this anyway. Facebook is saying it's not even necessary to change FB password. The vulnerability is fixed now. Close call though .... I mean, it could have been a serious data breach.
(13 October 2018)