Facebook just got hit with one of its biggest security breaches ever. Over 50 million accounts got compromised in the attack and are being asked to log into their profile again. Another 40 million have been logged out as a precaution.
This means that over 90 million users will have to sign in again. Facebook isn’t asking them to change their passwords, but it wouldn’t be a bad idea if they did. The company only discovered this attack on September 25 and is still unpacking a lot of details. It’s not completely sure what’s been accessed by the hackers.
Facebook “View As” Hack
As per Facebook’s blog post, its engineering team uncovered a major bug in the “View As” tool. The feature lets people view their profile as someone else in order to check what the other person can see. Another security hole was found in the video uploader. It incorrectly generated an access token which had the permissions of the brand’s mobile app.
Access tokens are basically digital keys which keep users logged in to Facebook so they don’t have to keep re-entering their password every time they open the app. When the video uploader appeared in View As, it produced an access token not for the user, but for the person they were looking up.
This complicated mix of errors allowed hackers to worm their way through Facebook’s defenses. They stole the access token and used it to log in as another person, repeating the process over and over again. The BBC reports that even the firm’s CEO Mark Zuckerberg got exposed to the attack.
Facebook has fixed these vulnerabilities and reset the access tokens of the 50 million affected by the breach, plus another 40 million to be extra safe. It’s also temporarily switching off View As while it’s going through its security review.
Several third-party sites use Facebook as a log-in option, so those platforms might be affected by the attack as well. This misstep comes at a terrible time for the brand as it’s struggling to convince users that their data is safe with it after the whole Cambridge Analytica scandal.