Notebookcheck

50 million Facebook accounts were compromised due to a security flaw

A Facebook breach has compromised almost 50 million accounts. After discovering the breach on September 25, the company reset the access tokens of the 50 million affected accounts and 40 million others as a precautionary step. The attackers accessed the accounts via a vulnerability involving Facebook's access tokens which keep users logged in.

Working For Notebookcheck

Are you a techie who knows how to write? Then join our Team!

Currently wanted: 
News Editor - Details here

If you are a regular Facebook user, you may want to check your account. Due to a security flaw involving the site’s access tokens, almost 50 million accounts were compromised over the past year.

Facebook discovered the breach this past Tuesday, September 25. A vulnerability in Facebook’s “View As” feature allowed unknown attackers to steal access tokens. Access tokens allow you to stay logged into Facebook so that you don’t have to re-enter your password. Ever wonder why you don’t have to log in when you open Facebook’s mobile app? You can thank access tokens.

While the company says that the vulnerability is now fixed, the affected accounts were forcibly logged out so that new access tokens were generated. Facebook also reset the tokens for 40 million other accounts as a preventative measure. The attackers used the “View As” feature, which allows you to see your profile from other users’ perspectives, to steal the access token of an account. They then used the compromised account to pivot to other accounts, and so on. Facebook estimates that this attack began in July 2017.

The good news is that passwords weren’t compromised. Since access tokens are generated randomly after a password is authenticated, there’s no back door to passwords via an access token. The bad news is that with an access token, an attacker could access all of the data on your profile and make any changes that you can. Essentially, anyone with your access token could log in to your account.

Facebook hasn’t determined whether any malicious activity occurred on any of the compromised accounts. If you had to log into Facebook through a venue that doesn’t normally require a login, there’s a good chance your account was affected. If you want to reset your access tokens anyway (which is probably a good move), the Naked Security blog has detailed instructions on how to complete the process.

Source(s)

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2018 09 > 50 million Facebook accounts were compromised due to a security flaw
Sam Medley, 2018-09-30 (Update: 2018-09-30)
Sam Medley
Sam Medley - Review Editor - @samuel_medley
I've been a "tech-head" my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a Systems Analyst for my local school district. I started working with Notebookcheck in October of 2016 and have enjoyed writing news articles and notebook reviews. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not hunched over an electronic device or writing code for a new database, I'm either outside with my family, playing a decade-old video game, or sitting behind a drum set.