Facebook hack: 50 million users affected by site code flaw

Facebook shortcut with notification

Facebook has revealed that it discovered a security issue which could have exposed the accounts of 50 million people.

A vulnerability was discovered in Facebook's View As feature on Tuesday, September 25, but the company has not given too many details about how the flaw was exploited or by whom, but it has said that attackers were able to steal access tokens and access other people's accounts. Law enforcement agencies have been informed, and an investigation is under way.

See also:

In a blog post revealing the security issue, Facebook says: "On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security".

The social networking giant goes on to say:

Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app.

Facebook explains that the attack took advantage of the complicated interactions between "multiple issues in our code". It says that the issue stems from a change made to the video uploading feature back in June 2017, but explains that "the attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens".

The company says it has taken action:

First, we've fixed the vulnerability and informed law enforcement.

Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We're also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Third, we're temporarily turning off the "View As" feature while we conduct a thorough security review.

It is not clear how many, if any, accounts were accessed by attackers, or if any data has been misused. Facebook says: "We also don't know who’s behind these attacks or where they're based".

Despite what you might expect, the advice is not to change your Facebook password:

People's privacy and security is incredibly important, and we're sorry this happened. It's why we've taken immediate action to secure these accounts and let users know what happened. There's no need for anyone to change their passwords. But people who are having trouble logging back into Facebook -- for example because they've forgotten their password -- should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the "Security and Login" section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.

Image credit: Silver Wings SS / Shutterstock

© 1998-2018 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.