페이스북(Facebook)이 해킹으로 인해 개인 정보가 유출된 계정이 총 3천만 개에 달하는 것으로 추정된다고 14일(현지시각) 밝혔다.
앞서 페이스북은 블로그 발표를 통해 지난달 29일 해킹을 당해 약 5천만 개의 계정 접근권(acess token)을 탈취당했다고 발표했다.
현재 개인 정보가 유출된 3천만 명의 사용자 중 이름, 연락처와 같은 기본 정보만 유출된 계정은 약 1천500만 개로 추정되며, 기본 정보에 더불어 성, 관계 상태, 최근 장소, 대화 기록과 같은 세부 정보까지 유출된 계정은 약 1천400만 개가 넘는 것으로 집계됐다.
그중 유출된 한국인 계정은 약 3만 4891개로 추정되며, 현재 페이스북의 개인 정보 유출 여부 확인 사이트에서 피해 여부를 알 수 있다.
가이 로젠(Guy Rosen) 페이스북 제품 총괄 부사장은 “페이스북에게 사용자의 개인 정보와 보안은 매우 중요하다”라고 전하며, 이번 개인 정보 유출 사태에 깊은 유감을 표현했다.
페이스북은 올해 서비스의 안전과 품질 향상을 위해 노력하고 있다고 전하며, 스팸성 페이스북 페이지 559개와 계정 251개를 삭제했다고 발표했다.
발표 이전에 이미 약간의 하락세를 보이던 페이스북의 주가는 금일 발표 이후 150.30달러로 급락했다.
Facebook revealed on Friday that a hack in September allowed attackers to harvest millions of phone numbers and email addresses.
The company said hackers used 400,000 accounts under their control to gain the access tokens of 30 million Facebook users, according to a blog post. Access tokens are used by Facebook users to log into their accounts without having to type in their passwords.
Among the 30 million affected users, 14 million had their names, contact information and sensitive information, such as their gender, relationship status and recent place check-ins, exposed to the attackers, Facebook said. Another 15 million users had their names and contact information breached, and 1 million users solely had their access tokens stolen. Facebook has reset the access tokens for all of those users.
Facebook also published a website where users can go to check if their accounts where affected by the breach, and if so, to what degree their information was exposed.
The company said the breach is under investigation by the FBI, which asked Facebook “not to discuss who may be behind this attack.”
“We are still looking at other ways the people behind these attacks may have used Facebook, and we haven’t ruled out the possibility of smaller scale, low-level access attempts,” said Guy Rosen, Facebook vice president of product management, adding that the company had also notified the U.S. Federal Trade Commission and the Irish Data Protection Commission.
“People’s privacy and security are incredibly important, and we are sorry this happened,” Rosen said.
The company said the attack began on Sept. 14 and was not detected until Sept. 25. Within two days, the company fixed its vulnerabilities, stopped the attack and reset the access tokens for impacted users, Rosen said. Those impacted users will receive a note from Facebook on the service in the coming days notifying them of the attack, Rosen said.
Facebook discovered and disclosed the security breach in late September, saying at the time that the issue affected 50 million accounts, with an additional 40 million deemed as “at-risk.” That number was reduced to 30 million, according to a blog post published by the company.
The company has been dealing with several issues concerning the health of its service throughout 2018. Facebook on Thursday, for example, disclosed its decision to remove 559 Pages and 251 accounts that it claimed broke the company’s spam policies.
Shares of Facebook, which were already down slightly before the company’s announcement, fell to a day low of $151.30 per share after Friday’s announcement.