![](\"https:\/\/media.wired.com\/photos\/5bc0e2a080ec002859e56bef\/master\/pass\/FacebookToken-BW-151811218.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Fri, 12 Oct 2018 18:32:27 +0000<\/strong><\/p>\n At the end <\/span>of last month, Facebook<\/a> made a bombshell disclosure<\/a>: As many as 90 million of its users<\/a> may have had their so-called access tokens\u2014which keep you logged into your account, so you don't have to sign in every time\u2014stolen by hackers. Friday, the company put the actual number at 30 million. Here's how to see if you were one of them, and if so, what the hackers got from your account.<\/p>\n There might understandably be some confusion around the matter; a few weeks ago, Facebook logged out 90 million of its users out of an abundance of caution, making them reset their passwords and negating the access token hack. Over the next few days, Facebook will insert a customized message into the News Feeds of the 30 million people whose accounts were actually impacted, based on the extent of the damage.<\/p>\n "People\u2019s accounts have already been secured by the action we took two weeks ago to reset the access tokens for people who were potentially exposed\u2014no one needs to log out again, and no one needs to change their password," says Guy Rosen, Facebook's vice president of product management. "We\u2019ll be explaining what information the attackers may have accessed as well as steps they can take to help protect themselves from any suspicious emails or text messages or calls that could potentially result from this kind of information being exposed. "<\/p>\n If you don't want to wait for the message to hit your News Feed to find out if you're okay, go ahead and see if you were among those hit at this page<\/a>. Across past the background paragraph, and you\u2019ll see a header that reads Is my Facebook account impacted by this security issue?<\/strong><\/p>\n From there, you\u2019ll see one of three outcomes. If it says that based on what Facebook knows so far, you\u2019re not impacted, you should be in the clear pending any revelations. The company says that one million of the 30 million people who had their access tokens stolen didn\u2019t have any of their data comprised.<\/p>\n The remaining 29 million users will see one of two messages, depending on the extent of the damage. Fifteen million of them had their name, email addresses, and phone number accessed by hackers. While that\u2019s not ideal by any accounting, the remaining 14 million Facebook users are left with a much worse result.<\/p>\n In addition to the basic contact information above, the list of details hackers accessed is long: username, date of birth, gender, devices you used Facebook on, and your language settings, at the very least. If you filled out the relationship status, religion, hometown, current city, work, education, or website sections of your profile, they got that too. And most unsettling of all, they could have accessed the 10 most recent locations you checked into or were tagged in, and the 15 most recent searches you\u2019ve entered into the Facebook search bar.<\/p>\n "No one needs to log out again, and no one needs to change their password."<\/p>\n Guy Rosen, Facebook<\/p>\n Facebook says they\u2019ve seen no signs yet that attackers used its access tokens to infiltrate third-party apps and services<\/a>, as was technically possible<\/a>. And it maintains that no account passwords or credit card information was compromised. But the amount of information, and its sensitive nature, should be a boon to phishers and scammers for years to come. You can change your password or cancel a credit card. Your hometown will always be just that. And where you\u2019ve been and whom you\u2019ve searched for are deeply personal parts of your life, both online and in the real world.<\/p>\n Facebook at least acknowledges this in its support page, offering some advice about how to avoid phishing attempts<\/a>, like being \u201ccautious of unwanted phone calls, text messages or emails from people you don't know.\u201d Presumably, you were doing this anyway. The rest of the advice is similarly rudimentary, but that\u2019s in part because there\u2019s only so much you can do to stop that kind of attack. If a determined phisher wants to get you, they almost certainly will eventually<\/a>. Especially if they have access to the kind of data that Facebook\u2019s security fail has given away.<\/p>\n