Facebook has suffered a data breach affecting almost 50 million accounts. Another 40 million have been reset as a “precautionary step”.
What’s happened?
In a post on the site earlier today, Facebook’s VP of Product Management, Guy Rosen, said that the breach was discovered on Tuesday 25 September 2018.
Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.
Rosen says the vulnerability is now fixed.
We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
Those affected will now have to log back into Facebook, and any apps that use Facebook Login.
Facebook has also turned off the “View As” feature while it investigates. This function allows you to see what a particular friend, or people you aren’t friends with, can see on your profile, such as old profile photos or posts.
It’s still early days but Facebook says it looks like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.
Facebook says it doesn’t yet know if any accounts were misused or information was accessed.
But access tokens are what Facebook uses to authenticate you, so if you were affected you should assume that the attackers had access to all of your data – anything you can see, read, download or change when you log in to Facebook.
Serious bugs in Facebook are nothing new – we report on them all the time – but we normally hear about them through the company’s bug bounty program.
Facebook doesn’t know who was behind this attack, or why they did it, but whoever did it passed up on some very lucrative bounties.
What to do?
If you’ve been forcibly logged out by Facebook, then the forced logout will automatically have invalidated any existing access tokens for your account.
Rosen says there’s no need for anyone to change their passwords.