Facebook ‘Sorry’ After Massive Breach Affecting Up To 50 Million Accounts
Facebook disclosed Friday that attackers exploited a vulnerability in the social media giant's code to potentially take over nearly 50 million people's accounts.
The Menlo Park, Calif.-based company said the vulnerability discovered in Facebook's code Tuesday impacted "View As", a feature that lets people see what their own profile looks like to someone else, according to a post by Guy Rosen, VP of product management, on the company’s website. This allowed the bad actors to steal Facebook access tokens, which they could use to take over people's accounts.
Rosen said access tokens are the equivalent of digital keys that keep people logged into Facebook so that they don't need to reenter their password every time they use the app.
"We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security," Rosen said.
Facebook has yet to determine whether the affected accounts were misused or any if any information was accessed since the company had only just started its investigation, Rosen said. In addition, Rosen said Facebook doesn't know who's behind these attacks or where they're based.
The issues stem from a change Facebook made to its video uploading feature in July 2017, which impacted "View As." Once the attackers had found the vulnerability and used it to get an access token, Rosen said they then had to pivot from that account to others to steal more tokens.
In response, Rosen said Facebook had fixed the vulnerability and notified law enforcement. The social networking services has not only reset the access tokens of the almost 50 million accounts Facebook knows were affected, but also took the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the past 12 months.
In addition, Rosen said Facebook has temporarily turned off the "View As" feature while it conducts a thorough security review.
"People's privacy and security is incredibly important, and we're sorry this happened," Rosen said. "It's why we've taken immediate action to secure these accounts and let users know what happened."
Allowing websites or applications to automatically authenticate a user without requiring biometrics or even a password poses a huge, significant danger, according to Michael Crean, president of Woodbridge, Va.-based Solutions Granted.
Crean said users should refrain from allowing machines, websites or applications to remember their user name and passwords and provide unfettered access to whoever is purporting to control the account. Instead of remained logged into a service, Crean recommended that users rely on a password management tool like LastPass to store their login information for all of their different accounts.
"When that [the authentication] gets compromised, the attacker is given a free ride and access to whatever they have privilege to access," Crean said.