Facebook on Friday revealed that its engineering team has discovered a security breach that affected almost 50 million users on its platform.
The attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else, the company said in a blog post.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.” You can read the complete post here.
Facebook has fixed the vulnerability and informed law enforcement. The breach forced millions of Facebook’s users across the globe to log out of their accounts as the company “reset the access tokens of the almost 50 million accounts that were affected to protect their security.”
As a precautionary step, Facebook is also resetting access tokens for another 40 million accounts. The ‘View As’ feature has been turned off for the time being.
If you’ve been logged out of your account and asked to sign back in, it’s because we’ve discovered a security issue and are taking immediate action to protect people on Facebook. Learn more https://t.co/XLcHGYFBu2
— Facebook (@facebook) September 28, 2018
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” the company said.
Do you need to change your password?
Facebook claims that the affected users, who have been forced to logout of their accounts, need not change their passwords, but “if anyone wants to take the precautionary action of logging out of Facebook, they should visit the ‘Security and Login’ section in settings.” It lists the places people are logged into Facebook, with a one-click option to log out of them all.
This is not the first time Facebook has experienced a major security breach. In March this year, the world’s largest social media network faced government scrutiny in Europe and the United States following a whistleblower’s allegations that London-based political consultancy Cambridge Analytica improperly accessed user information to build profiles on American voters that were later used to help elect US President Donald Trump in 2016.
“This was a major breach of trust. I’m really sorry this happened. We have a basic responsibility to protect people’s data,” Mark Zuckerberg had said in an interview.
- Over 550,000 Indians Affected by Cambridge Analytica Data Controversy, Says Facebook
- Facebook Says Saavn, Airtel Among Companies That Got Special Access to User Data
- Cambridge Analytica and Facebook – Is Anybody Actually Liable Under Indian Law?
- Facebook’s Social Responsibility Should Include Privacy Protection