News Ticker

Facebook Data Breach: 50 million accounts affected

Facebook Data Breach: 50 million accounts affected

By Sophos

In a post on the site earlier today, Facebook’s VP of Product Management, Guy Rosen, said that the breach was discovered on Tuesday 25 September.

Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.

Rosen says the vulnerability is now fixed.

We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.

Those affected will now have to log back into Facebook, and any apps that use Facebook Login.

Facebook has also turned off the “View As” feature while it investigates. This function allows you to see what a particular friend, or people you aren’t friends with, can see on your profile, such as old profile photos or posts.

It’s still early days but Facebook says it looks like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.

Facebook says it doesn’t yet know if any accounts were misused or information was accessed.

But access tokens are what Facebook uses to authenticate you, so if you were affected you should assume that the attackers had access to all of your data – anything you can see, read, download or change when you log in to Facebook.

Serious bugs in Facebook are nothing new – we report on them all the time – but we normally hear about them through the company’s bug bounty program.

Facebook doesn’t know who was behind this attack, or why they did it, but whoever did it passed up on some very lucrative bounties.

What to do?

If you’ve been forcibly logged out by Facebook, then the forced logout will automatically have invalidated any existing access tokens for your account.

Rosen says there’s no need for anyone to change their passwords.

(Access tokens are generated randomly after Facebook has gone through the process of validating your password when you login. There’s no way to work backwards from an access token to recover your password.)

Whether you’re affected or not, as a precautionary measure you can choose to log out of all your Facebook sessions as described below.

The process can be quite cumbersome so please read through the instructions fully.