A million hacked Facebook accounts aren’t cool. You know what’s even less cool? Fifty million hacked Facebook accounts.
A Friday morning press release from our connect-people-at-any-cost friends in Menlo Park detailed a potentially horrifying situation for the billions of people who use the social media service: Their accounts might have been hacked. Well, at least 50 million of them were “directly affected,” anyway.
You’ll have to log back in to Facebook as a result – that includes any apps that you might log into with Facebook, like Spotify.
“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” said Facebook’s Guy Rosen.
We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”
According to Facebook, attackers exploited a vulnerability in the website’s code.
It specifically impacted “View As”, which is a feature that lets you see what your own profile looks like to someone else.
Hackers used this feature to steal Facebook’s access tokens.
Access tokens are like digital keys that keep you logged into Facebook – so you don’t have to re-enter your password every time you use the app.
This means that hackers would’ve been able to access your Facebook account, potentially giving them access to your entire profile, your private messages and more.
“This attack exploited the complex interaction of multiple issues in our code,” Facebook admitted.
“It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’
“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
Has Facebook fixed the problem?
Facebook says it has “fixed the vulnerability”, and told law enforcement about the issue.
The world’s largest social network has also reset the access tokens for the 50million accounts that Facebook admits were affected.
Facebook is also resetting access tokens for another 40million accounts that have been subject to a “View As” look-up in the last year – as a precautionary measure.
This means that roughly 90million users will be logged out of Facebook, and any apps linked to Facebook.
When you log back in, you’ll see a notification at the top of your News Feed explaining what happened.
Facebook has also temporarily turned off the “View As” feature so it can “conduct a thorough security review”.