Facebook has announced a massive security issue affecting at least 50 million of its 2.23 billion active users. While the company is still investigating the issue, it already has taken steps to stop the exploit and protect users. Here’s what we know so far.
Update 9/29/18: Facebook has said that third-party apps were able to be accessed as well.
Facebook says its engineering team discovered a security threat that could allow a hacker “to steal Facebook access tokens which they could then use to take over people’s accounts.”
When did the attack occur?
It’s unclear exactly when the accounts were breached, but Facebook discovered the issue on Tuesday, September 25. The issue stems from a change Facebook made to its video uploading feature in July 2017, so it’s possible the vulnerability went unnoticed for a long time.
How did the hackers get in?
This attack exploited the complex interaction of multiple issues in Facebook’s code, the company said. The attackers exploited a vulnerability in Facebook’s code related to the “View As” feature, which is designed to let users see how their profile appears on other people’s screens. If you used the feature, hackers were able to steal your access token and potentially take over your account.
What’s an access token?
An access token is the thing your browser uses to keep you logged in to your Facebook account after signing in once.
Has the vulnerability been fixed?
According to Facebook, the exploit was patched on Thursday, September 27.
How do I know if my account has been affected?
Facebook has gone ahead and reset the access token for the 50 million users who were affected as well as another 40 million accounts “that have been subject to a “View As” look-up in the last year.” So, if you had to manually log in to your Facebook account on Friday, September 28, it’s likely your account was compromised.
What could the hackers do with my account?
Prior to FB learning of the hack, if the attackers were able to retrieve an access token for your account, they could theoretically log in to your account on their machine and have full access to it.
What about apps that use Facebook login?
Facebook's vice president of product, Guy Rosen said on a conference call that hackers would also have access to any app that was linked to your account as well.
Can I still use the ‘View As’ feature?
Facebook has temporarily disabled the feature as it conducts “a thorough security review.”
Was any of my personal information stolen?
Facebook said it has “yet to determine whether these accounts were misused or any information accessed.” But if hackers had unfettered access to user accounts, it’s safe to say at least some data was compromised.
Should I change my password?
Definitely, yes. There’s no indication that the attackers were able to steal passwords directly, but changing it will ensure that any access they may have had to your account will be blocked.
How do I do that?
- Click the menu icon in the top-right corner of any Facebook page and select Settings.
- Click Security and Login.
- Click Edit next to Change Password.
- Click Save Changes.
Should I unlink apps that use Facebook login?
It's not a bad idea, especially if there are apps that you haven't used in a while. At the very least you should log out of any Facebook Login apps to reset the access token.
How else can I protect my account?
It might be too late for this attack, but there are many ways to limit your Facebook account. Or you can just delete or disable it altogether.