Facebook has published a blog post this evening alerting users to the fact that 50 million accounts might be at risk following the discovery of a breach of its systems on 25th September.
The social network says that attackers exploited a bug in the View As feature. This feature allows a user to view their profile as if they were another user. The exploit allowed attackers to steal access tokens which keep users logged in to their Facebook account. Think of it like a key that allows you to open up Facebook without having to type your key in ever single time.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As,'” vice president of Product Management at Facebook, Guy Rosen explained.
“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
The View As feature has been turned off temporarily.
Following the discovery of this breach Facebook has fixed the bug and alerted authorities. While the breach only affected 50 million users, as many as 90 million users will now be logged out of their accounts as a result of an access token reset.
“We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” Rosen explained.
“People’s privacy and security is incredibly important, and we’re sorry this happened” – Guy Rosen VP of Product Management
The extent of the damage is not yet known and Rosen did not state how long the attackers went unnoticed before they were discovered.
The firm is investigating the incident and has said that it will immediately reset any access tokens it discovers have been compromised.
“We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change,” Rosen said.
While Facebook states that users don’t have to reset passwords we’d recommend doing so as a precautionary measure.
The VP also says that users who want to take the precautionary step of logging out of currently logged in profiles can do so with one click here.
[Image – CC BY 2.0 ShopCatalog]