Facebook has confirmed that three million European users’ accounts were affected when it suffered a major breach last month. The figure represents 10 per cent of the total affected userbase.
In a statement emailed to NS Tech, a Facebook spokesperson said: “These are numbers we have shared with policy makers and regulators following last week’s update on the recent security issue.”
It is not yet clear how the European accounts were affected, but the company has vowed to directly contact all of those impacted by the breach and explain what information the attackers might have accessed.
On Friday, Facebook published an update on the state of its investigation into the breach. It revealed a total of 30 million users around the world had been affected by the breach, which involved hackers stealing users’ access tokens through a security glitch.
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles),” the company’s vice president of product management Jay Rosen said in a statement. “For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.”
This additional information included “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches”.
Of the 400,000 users whose information was initially taken, Rosen said: “If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.” For one million, no data was taken.
The revelations have already attracted the attention of data privacy regulators in the EU. The Irish Data Protection Commission is leading the European investigation and confirmed it was aware that three million users had been affected.
It is the first major breach of European user data by an American tech giant since the General Data Protection Regulation came into force in May. Under GDPR, companies are liable to up to four per cent of their annual global turnover.