Facebook Reveals Only 30 Million Affected by Hack But Still Faces EU Fines

Last month, Facebook announced it had been the target of a data breach potentially affecting up to 50 million users. The news quickly made headlines around the world causing many to worry about their own accounts.

If you've been logged out of your account and asked to sign back in, it’s because we've discovered a security issue and are taking immediate action to protect people on Facebook. Learn more https://t.co/XLcHGYFBu2

— Facebook (@facebook) September 28, 2018

Facebook facing heavy fines

The social network apologized for the incident in a statement, explained the measures it was taking to protect possibly affected users and said law enforcement authorities had been alerted.

Despite this, EU privacy watchdog Data Protection Commission Ireland (DPC Ireland) announced it was investigating the data breach for possible violations of Europe's new General Data Protection Regulation (GDPR). If found guilty, Facebook was said to be facing fines of up to $1.63 billion. 

.@DPCIreland is awaiting from Facebook further urgent details of the security breach impacting some 50m users, including details of EU users which have been affected, so that we can properly assess the nature of the breach and risk to users. #dataprotection #GDPR #eudatap https://t.co/3oM3BSaSBS

— Data Protection Commission Ireland (@DPCIreland) September 30, 2018

An update released

Now, Facebook has released an update on the breach investigation revealing the true number of users affected by the hack. Luckily, it seems to be better than initially assumed.

Sharing the results of our investigation into the attack we announced two weeks ago: https://t.co/tkDrVV7YZO

— Facebook (@facebook) October 12, 2018

"We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen," said the network's statement.

[see-also]

Facebook further outlined the numbers relating to specific information accessed. 15 million people had their names and contact details (phone number, email, or both) accessed by attackers and 14 million saw the same violation with additional info included such as username, gender, hometown, birthdate, 15 most recent searches and more.

1 million lucky users were completely untouched by the incident. Facebook revealed it was working with the FBI on the issue and that people could check whether they were affected by visiting the Help Center.

In addition, affected users will receive messages in the coming days with details on what information may have been accessed, as well as steps to take to protect themselves. The network also said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, as well as advertising or developer accounts were not affected.

Investigation continues

An hour after Facebook released their update, DPC Ireland posted a Twitter statement saying the confirmation of a data breach meant it would continue its investigation into the social network. Meanwhile, Facebook has said it would continue to cooperate with the EU watchdog and other authorities to resolve the matter.

Facebook breach: today’s update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack. @DPCIreland’s investigation into the breach and Facebook’s compliance with its obligations under #GDPR continues https://t.co/ots8MZV3bt

— Data Protection Commission Ireland (@DPCIreland) October 12, 2018