Massive Security Breach By Facebook; Over 50 Million Accounts Affected

Social media giant Facebook on Friday announced it will be disabling the "View As" feature temporarily in light of a security breach. As per the official blog post, almost 50 million Facebook accounts were affected by this breach in security.

"Attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app", the statement read.

After which, Facebook has now adopted the following measures to address the matter. Firstly, as per the press release, the team has "fixed the vulnerability and informed law enforcement". Secondly, the company has reset the access tokens for almost 50 million accounts.

"We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened", the official blog read.

Explaining the technical glitch that led to the security breach the blog stated that,

"This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."

As per the official blog, Facebook's investigation is currently underway. Moreover, the attackers have not been identified yet.

"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens."

Apologising to users, the statement read, "People’s privacy and security is incredibly important, and we’re sorry this happened". The official blog has stressed that users do not need to change their passwords.

Following this release, the CEO of Facebook Mark Zuckerberg shared a post on his official account:

I want to update you on an important security issue we've identified. We patched the issue last night and are taking precautionary measures for those who might have been affected. We're still investigating, but I want to share what we've already found:

On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people's accounts on Facebook.

We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.

We've already taken a number of steps to address this issue:

1. We patched the security vulnerability to prevent this attacker or any other from being able to steal additional access tokens. And we invalidated the access tokens for the accounts of the 50 million people who were affected – causing them to be logged out. These people will have to log back in to access their accounts again. We will also notify these people in a message on top of their News Feed about what happened when they log back in.

2. As a precautionary measure, even though we believe we've fixed the issue, we're temporarily taking down the feature that had the security vulnerability until we can fully investigate it and make sure there are no other security issues with it. The feature is called "View As" and it's a privacy tool to let you see how your own profile would look to other people.

3. As an additional precautionary measure, we're also logging out everyone who used the View As feature since the vulnerability was introduced. This will require another 40 million people or more to log back into their accounts. We do not currently have any evidence that suggests these accounts have been compromised, but we're taking this step as a precautionary measure.

We face constant attacks from people who want to take over accounts or steal information around the world. While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place. If you've forgotten your password or are having trouble logging in, you can access your account through the @Help Center.

There’s more detail in Guy’s post below, and we’ll update you as our investigation continues.