Facebook has announced a massive security issue affecting at least 50 million of its 2.23 billion active users. While the company is still investigating the issue, it already has taken steps to stop the exploit and protect users. Here’s what we know so far.What happened?
Facebook says its engineering team discovered a security threat that could allow a hacker “to steal Facebook access tokens which they could then use to take over people’s accounts.” This includes third party apps as well as those developed in-house.
It’s unclear exactly when the accounts were breached, but Facebook discovered the issue on Tuesday, 25 September. The issue stems from a change Facebook made to its video uploading feature in July 2017, so it’s possible the vulnerability went unnoticed for a long time.
This attack exploited the complex interaction of multiple issues in Facebook’s code, the company said. The attackers exploited a vulnerability in Facebook’s code related to the ‘View As’ feature, which is designed to let users see how their profile appears on other people’s screens. If you used the feature, hackers were able to steal your access token and potentially take over your account.
According to Facebook, the exploit was patched on Thursday, 27 September.
What’s an access token?
An access token is the thing your browser uses to keep you logged in to your Facebook account after signing in once. Facebook has gone ahead and reset the access token for the 50 million users who were affected as well as another 40 million accounts “that have been subject to a ‘View As’ look-up in the last year.” So, if you had to manually log in to your Facebook account on Friday, 28 September, it’s likely your account was compromised.
What could the hackers do with my account?
Prior to FB learning of the hack, if the attackers were able to retrieve an access token for your account, they could theoretically log in to your account on their machine and have full access to it.
Facebook’s vice president of product, Guy Rosen said on a conference call that hackers would also have access to any app that was linked to your account as well.
Facebook has temporarily disabled the feature as it conducts “a thorough security review”.
The comany said it has “yet to determine whether these accounts were misused or any information accessed”. But if hackers had unfettered access to user accounts, it’s safe to say at least some data was compromised.
Should I change my password?
Definitely, yes. There’s no indication that the attackers were able to steal passwords directly, but changing it will ensure that any access they may have had to your account will be blocked.
To do so:
- Click the menu icon in the top-right corner of any Facebook page and select Settings.
- Click Security and Login.
- Click Edit next to Change Password.
- Click Save Changes.
Should I unlink apps that use Facebook login?
It’s not a bad idea, especially if there are apps that you haven’t used in a while. At the very least you should log out of any Facebook Login apps to reset the access token.
It might be too late for this attack to have protected yourself, but there are many ways to limit your Facebook account. Or you can just delete or disable it altogether.
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers