50 million Facebook accounts were compromised due to a security flaw
If you are a regular Facebook user, you may want to check your account. Due to a security flaw involving the site’s access tokens, almost 50 million accounts were compromised over the past year.
Facebook discovered the breach this past Tuesday, September 25. A vulnerability in Facebook’s “View As” feature allowed unknown attackers to steal access tokens. Access tokens allow you to stay logged into Facebook so that you don’t have to re-enter your password. Ever wonder why you don’t have to log in when you open Facebook’s mobile app? You can thank access tokens.
While the company says that the vulnerability is now fixed, the affected accounts were forcibly logged out so that new access tokens were generated. Facebook also reset the tokens for 40 million other accounts as a preventative measure. The attackers used the “View As” feature, which allows you to see your profile from other users’ perspectives, to steal the access token of an account. They then used the compromised account to pivot to other accounts, and so on. Facebook estimates that this attack began in July 2017.
The good news is that passwords weren’t compromised. Since access tokens are generated randomly after a password is authenticated, there’s no back door to passwords via an access token. The bad news is that with an access token, an attacker could access all of the data on your profile and make any changes that you can. Essentially, anyone with your access token could log in to your account.
Facebook hasn’t determined whether any malicious activity occurred on any of the compromised accounts. If you had to log into Facebook through a venue that doesn’t normally require a login, there’s a good chance your account was affected. If you want to reset your access tokens anyway (which is probably a good move), the Naked Security blog has detailed instructions on how to complete the process.