Last Friday, Facebook announced that they discovered a serious security issue that allowed hackers to access information that could have let them take over around 50 million accounts. The attackers identified a weakness in Facebook’s “View As” feature, which allows users to see what their profile looks like to others. Three separate bugs were found in the code that allowed the hackers to obtain access tokens (digital keys which let people stay logged into the service without having to re-enter their password) which could be used to view and control accounts. This resulted in a spike in user activity on 16 September, alerting Facebook of a potential attack.
Almost 50 million accounts who had their access tokens taken, and an additional 40 million accounts who used the “View As” feature in the last year, had their tokens reset by Facebook. Users were required to re-enter their password when they returned to Facebook or accessed apps that were logged into Facebook. They will also receive a notification at the top of their News Feed explaining what happened. The “View As” feature has been suspended while Facebook reviews its security. Law enforcement has been notified to address any General Data Protection Regulation (GDPR) issues.
Why is this significant?
For now, Facebook does not know who the hackers are and if they had misused any stolen information (as initial investigations did not uncover any). It said there is no need to change passwords and would be doubling the number of employees working on security. Its shares closed 2.6% down, reflecting the severity of this security breach. Mark “Zuckerberg’s words”: “Security is an arms race, and we’re continuing to improve our defences.”