On Tuesday September 25, Facebook’s engineering team discovered a potential security vulnerability.
The problem, which was immediately addressed, occurs only if a Facebook user was using the “View As” feature to see how his or her own Facebook profile looks to others. Under that scenario, it could have been possible for a hacker to steal a user’s Facebook access token, and potentially then, take over the account.
Access tokens are the mechanism that keeps people logged in to Facebook, so they do not need to log back in and re-enter their password every time they use the app. As Facebook explained, “the attack exploited the complex interaction of multiple issues in our code.” In other words, this might be considered a “perfect storm” scenario.
Nevertheless, Facebook is taking the matter very seriously. They are notifying users of the immediate action taken to secure accounts and are letting everyone know what has happened. For now, if you are prompted to log back into Facebook, you’ll know why. We’ve included some instructions below published by Facebook today, with a little guidance in the event you don’t remember your Facebook password and you need to create a new one.
Friday, September 28, 2018 Facebook shared:
“We have yet to determine though whether these accounts were misused or if any information was taken and the overall number of accounts that may have been impacted.
Here is the action we have already taken.
First, we’ve fixed the vulnerability and informed law enforcement.
Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review. Invalidating access tokens will prevent attackers from having future access to impacted accounts. As a result, approximately 90M people will now have to log back in to Facebook or of their apps that they used Facebook to Login. As attackers did not have access to account passwords; people will not be required to change their passwords.
People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the “Security and Login” section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.”