Facebook shocked its users on Friday after disclosing a recent security breach that affected over 50 million users by extracting passwords form security tokens. As a countermeasure, Facebook logged out 90 million users to avoid the perpetrator to steal more passwords.
VP of Product Management Guy Rosen shared the findings on their official statement. “On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” Rosen wrote. According to their initial investigation, the hacker exploited a vulnerability “that impacted ‘View As’ a feature that lets people see what their own profile looks like to someone else,” allowing hackers to steal access tokens that keeps the user logged in to their account.
Facebook shared the steps they took to mitigate the security breach. “First, we’ve fixed the vulnerability and informed law enforcement. Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” Rosen wrote.
In addition to logging out 90 million users, Facebook will also disable the ‘View As’ until further notice. “This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” Rosen wrote as he explained the technicalities behind the breach.
For now, users can breathe a sigh of relief as the company confirmed that no sensitive information were stolen and the exploit has been fixed. But just in case, you can update your passwords now or activate the multi-factor authentication feature for further protection.