Notebookcheck Logo

50 million Facebook accounts were compromised due to a security flaw

A Facebook breach has compromised almost 50 million accounts. After discovering the breach on September 25, the company reset the access tokens of the 50 million affected accounts and 40 million others as a precautionary step. The attackers accessed the accounts via a vulnerability involving Facebook's access tokens which keep users logged in.

If you are a regular Facebook user, you may want to check your account. Due to a security flaw involving the site’s access tokens, almost 50 million accounts were compromised over the past year.

Facebook discovered the breach this past Tuesday, September 25. A vulnerability in Facebook’s “View As” feature allowed unknown attackers to steal access tokens. Access tokens allow you to stay logged into Facebook so that you don’t have to re-enter your password. Ever wonder why you don’t have to log in when you open Facebook’s mobile app? You can thank access tokens.

While the company says that the vulnerability is now fixed, the affected accounts were forcibly logged out so that new access tokens were generated. Facebook also reset the tokens for 40 million other accounts as a preventative measure. The attackers used the “View As” feature, which allows you to see your profile from other users’ perspectives, to steal the access token of an account. They then used the compromised account to pivot to other accounts, and so on. Facebook estimates that this attack began in July 2017.

The good news is that passwords weren’t compromised. Since access tokens are generated randomly after a password is authenticated, there’s no back door to passwords via an access token. The bad news is that with an access token, an attacker could access all of the data on your profile and make any changes that you can. Essentially, anyone with your access token could log in to your account.

Facebook hasn’t determined whether any malicious activity occurred on any of the compromised accounts. If you had to log into Facebook through a venue that doesn’t normally require a login, there’s a good chance your account was affected. If you want to reset your access tokens anyway (which is probably a good move), the Naked Security blog has detailed instructions on how to complete the process.


static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2018 09 > 50 million Facebook accounts were compromised due to a security flaw
Sam Medley, 2018-09-30 (Update: 2018-09-30)