- Facebook was hacked through a vulnerability in the site’s “View As” feature.
- As a result, Facebook reset users’ accounts to protect their security. Nearly 50 million people were affected by the hack, and Facebook reset the accounts of another 40 million users as a “precautionary step.”
- For now, the “View As” feature will not be available to use, and trying to use it will result in an error message.
In a blog post on September 28, Guy Rosen, Facebook’s VP of Product Management, said the flaw was discovered by the social network’s engineering team on September 25. “We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”
Clarifying that while Facebook’s investigations were still in its early stages, he said the attackers “exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else”. He said this vulnerability allowed “them to steal Facebook access tokens which they could then use to take over people’s accounts”. Access tokens are the digital keys that keep users logged in to an account, negating the need to enter their passwords every time.
Rosen claimed the vulnerability has been fixed and security agencies have been informed. He added that access tokens of the almost 50 million affected accounts, as well as another 40 million accounts, have been reset.
This is why over 90 million users, including yours truly, had to log back in to the Facebook app. Also, the ‘View As’ feature– which most Facebook users did not even know existed — has been temporarily disabled to allow a “thorough security review”.
Facebook breach: Access tokens of the almost 50 million affected accounts, as well as another 40 million accounts have been reset.
Rosen said they had not yet determined if these accounts were misused or any information was accessed. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change,” he said in the post, adding that if more affected accounts were found, the access tokens will be immediately reset. Apologising for the breach, the Facebook VP said “there’s no need for anyone to change their passwords” at the moment.
As for my account, in the past 24 hours there has been at least one incident that I could not explain: someone waved to a friend on Instant Messenger from my account… it certainly wasn’t me.