Facebook has issued a statement warning its users of a "security issue" that affects nearly 50 million users accounts. An investigation is underway, but Facebook that "it's clear that attackers exploited a vulnerability in Facebook's code."
That vulnerability arose from the "View As" feature that enables users to see what their profiles look like to other people. Exploiting a change made in July 2017 to the video uploading system, hackers could take control of Facebook access tokens—"the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app"—and use them to take over connected accounts.
Facebook has fixed the problem and informed law enforcement, and the access tokens of the accounts affected by the breach have been reset, as have tokens belonging to 40 million more accounts that have been the subject of a "View As" lookup over the past year. "As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login," the statement says.
The "View As" feature has also been suspended while Facebook investigates.
"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based," Facebook wrote.
"We’re working hard to better understand these details—and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens."
Facebook noted that users do not need to change their passwords. Users who want to log out of Facebook just in case should hit up the "Security and Login" section of the Facebook settings menu.
one last nugget, which will go in our final story once updated later today: Mark Zuckerberg and Sheryl Sandberg's Facebook accounts were both compromised in this hack.https://t.co/E4qbMkhnIpSeptember 28, 2018