Facebook has revealed that a mass security breach of its systems last year “may have” affected the personal information of up 111,813 Australian users.
In September last year, hackers exploited three linked bugs to steal name, contact and other information for 29 million users worldwide.
The attackers did this by capturing access tokens - essentially digital keys - that could be used to impersonate other people and to access all parts of their accounts.
In filings to the Office of the Australian Information Commissioner (OAIC), Facebook provided a breakdown of the number of Australian users that could have been caught up up the breach, and the types of information accessed.
“Based on our investigation so far, our best estimate is that Facebook user data for up to 111,813 Australian users may have been accessed as a result of this incident,” the social media company said. [pdf]
Of that number, Facebook estimated 47,912 Australian users may have had their full name, email address and phone number - if one was associated with the account - accessed by the attackers.
Another 62,306 Australian users, may have had a wide range of extra information accessed, including about the device they used to access Facebook, a list of most recent places where the user has checked in, recent search queries on Facebook, and other profile information.
For a further 1,595 further Australian users, attackers may have accessed all of the above, along with posts on their timeline, their list of friends and groups, and “the names of recent Messenger conversations.”