September 28, 2018
Facebook alerted the public of a major hack this morning that may have given hackers or third-party threats access to an estimated 50 million user profiles. The Verge reports that Facebook is making 90 million users log back into their accounts today as a safety measure.
The company’s security update says the engineering team discovered the security threat on September 25.
While the investigation has yet to reveal more substantial details, Facebook says the attackers “exploited a vulnerability” in the platform’s code affecting the “View As” feature. This feature allows users to view their profile as other users see it. The exploitation allowed the hackers to steal Facebook access tokens, which made it possible for them to overtake users’ accounts. Facebook says “access tokens” are like “digital keys” that keep users logged into their accounts so they don’t need to re-enter their login information every time they visit the platform.
Facebook says it has already taken action, including fixing the vulnerability and informing law enforcement. Additionally, Facebook has reset the access tokens of the approximately 50 million accounts that were affected by the hack. The company is taking the precautionary measure of resetting the tokens for an additional 40 million accounts subject to a “View As” look-up in the past year. A grand total of about 90 million users will be forced to log back into any accounts or apps connected to their Facebook login. Users will see a notification at the top of News Feed after they log back in describing the incident.
As a final precaution, Facebook is also temporarily turning off the “View As” feature.
“This attack exploited the complex interaction of multiple issues in our code,” Guy Rosen, VP of Product Management, says in the security update. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’ The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
The investigation has yet to uncover whether any user accounts were misused or subject to information theft as a result of the hack. Facebook says it also doesn’t know who is responsible for the attacks or where they stem from.
“We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change,” says Rosen. “In addition, if we find more affected accounts, we will immediately reset their access tokens.”
Facebook says users should not have to reset their passwords, but if they encounter any issues logging back in, they should visit the Facebook Help Center.
Abuse of this magnitude is a big blow to the company, especially after Cambridge Analytica harvested information from 80 million profiles. This latest hack emerges only six months after that discovery. However, Facebook has been quicker to take action and inform users this time around.