Facebook believes that the hackers who gained access to the private information of 30 million of its users were spammers looking to make money through deceptive advertising, according to people familiar with the company’s internal investigation.
The preliminary findings suggest that the hackers weren’t affiliated with a nation-state, the people said.
Facebook’s security team has been investigating the incident since Sept. 25, when it discovered that someone was downloading a large quantity of digital access tokens on the social network.
In several public briefings about the incident, the company has declined to say who is behind the attack, which it has called the biggest security breach in its history. When they first announced the attack, Facebook officials said they may never discover the identities of the hackers.
Internal researchers now believe that the people behind the attack are a group of Facebook and Instagram spammers that present themselves as a digital marketing company, and whose activities were previously known to Facebook’s security team, said the people familiar with the investigation.
Facebook has previously said it was working closely with the Federal Bureau of Investigation on a criminal probe into the incident.
The incident immediately raised questions about the hackers’ motivation, in part because Russian and Iranian operatives have in the past used social media, including Facebook, to cause mischief in the U.S. Other countries, including North Korea and China, have in the past been accused of cyberattacks for various purposes.
The stolen tokens are digital keys that allowed the hackers to access any part of a user’s Facebook account, and would be of great use to state-sponsored attackers looking to conduct espionage, according to security researchers.
However, the Facebook internal probe suggests the goal of the hackers was financial, not ideological, the people said.
The hackers accessed only a limited subset of the data they could have taken, Facebook said last week. Instead of accessing personal messages, they accessed contact details—including phone numbers and email addresses—gender, relationship status, and search and check-in data belonging to 14 million users. For another 15 million users, only names and contacts were accessed; and the attackers didn’t obtain personal information from 1 million people affected by the breach.
Hackers gained access to the accounts by exploiting a vulnerability in Facebook’s “view as” feature, which lets people see how their profiles appear to others. Three obscure bugs in Facebook’s code allowed the outsiders to steal the data, making it a complicated attack to execute.
The incident is one of the latest setbacks for the social-media giant, which has been under fire for its mishandling of a two-year Russian influence operation on its platform and failing to protect user data that was shared with third-party developers years ago.