Facebook announced the breach on Friday morning.
I woke up this morning with an odd icon flashing on my phone’s lock screen. It was Facebook messenger, an app I seldom use, asking me to log in again. Turns out I wasn’t the only one. Facebook announced on Friday that a network breach had occurred, exposing the information of some 50 million users.
More than 90 million users were forced to log out of their accounts on Friday morning, a common safety measure when accounts are potentially compromised.
Facebook reportedly discovered the breach earlier in the week, on Tuesday. Apparently attackers exploited a feature in Facebook’s code that gave them the ability to take over some users’ accounts. Facebook has already fixed the issue and notified authorities, though at this time there is no indication who was behind the attack, nor is it evident what the complete scope of the attack even was.
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
This is more bad news for the social media giant, which has seemingly been under fire on all fronts lately. If you’ll remember, Cambridge Analytica, a political data-mining firm was able to steal information from over 87-million accounts in the lead-up to the 2016 by abusing Facebook’s graph API. That news didn’t start coming out until about a year ago though.
In the aftermath, as Facebook rolled out a PR campaign aimed at reassuring its users, CEO Mark Zuckerberg said this:
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”
You get the feeling that sentence is going to come back to haunt Mr. Zuckerberg over the coming days.
Facebook has also been in the news for its roll in the proliferation of fake news during the last election cycle. The company is also being criticized for shirking GDPR rules. And with the US Republican party currently threatening to regulate Google for political bias, don’t be surprised if Facebook gets lumped in with that, too.
So, once again Facebook is sorry your data may have been compromised.
People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the “Security and Login” section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.