Most of you must have experienced yourself being logged out of Facebook on Friday. Facebook forced more than 90 million users to log out and login again into their accounts due to a massive data breach.
Facebook disclosed on Friday that some unknown hackers managed to exploit three vulnerabilities in their website and steal data from 50 million users.
The vulnerability resided in the “View As” feature which is an option that permitted users to find out what other Facebook users would see if they visit your profile. This flaw allowed the hackers to steal the secret access tokens that could be used to directly access users’ private information without requiring their original account password or validating two-factor authentication code.
As a precautionary measure, the company has reset access tokens for approximately 90 million Facebook users.
Guy Rosen, Facebook vice president of product, shared some more details of the breach, which is believed to be the most significant security blunder in Facebook’s history.
Take a look at some of the new developments in the Facebook data breach incident
Facebook Detected Breach After Noticing Unusual Traffic Spike
Facebook security team have noticed an unusual traffic spike on its servers earlier this week. When it was investigated it was known to be a massive cyber-attack, that had been present since 16 September, aimed at stealing data of millions of Facebook users.
Hackers Exploited 3 Vulnerabilities
The hack was done using three separate vulnerabilities of Facebook combined. The first flaw incorrectly offered users a video uploading option within certain posts that enables people to wish their friends ‘Happy Birthday,’ when accessed on “View As” page.
The second flaw was in the video uploader that incorrectly generated an access token that had permission to log into the Facebook mobile app, which is otherwise not allowed.
The third one was that the generated access token was not for you as the viewer, but for the user that you were looking up, giving attackers an opportunity to steal the keys to access an account of the person they were simulating.
Hackers Stole Secret Access Tokens for 50 Million Accounts
The attackers gained access to the secret access tokens for as many as 50 million Facebook users, which could then be used to take over accounts.
Access Tokens are similar to digital keys which enabled people to logged in to Facebook, so they don’t need to re-enter their password every time they use the app.
Your Facebook Account Password Has Not Been Compromised
The attack however did not reveal your Facebook account passwords, but the worst thing is that it doesn’t even require a password.
An attacker can use millions of secret access tokens to gather information from each account using an API, without actually having your password or two-factor authentication code.
Hackers Downloaded Users’ Private Information Using Facebook API
The number of accounts affected or what personal information was accessed by hackers is not sure but this year-old vulnerabilities had exposed all your personal information, private messages, photos and videos wide open for hackers.
Your “Logged in as Facebook” Accounts at 3rd-Party Apps/Websites Are at Risk
Since secret tokens enabled attackers to access the user accounts, it could also allow them to access other third-party apps that were using Facebook login.
Facebook Reset Access Tokens for 90 Million Accounts
Facebook has reset access tokens for nearly 50 million affected Facebook accounts and an additional 40 million accounts, as a precaution. So around 90 Million Facebook users were logged out of their accounts on Friday.
Check Active Sessions on Facebook to Find If Your Account Have Been Hacked
Many Facebook users have noticed unknown IP addresses from foreign locations that apparently had accessed their account unauthorizedly.
To check this, go to “Account Settings → Security and Login → Where You’re Logged In” to review the list of devices and their location that have accessed your Facebook account.
If you find any suspicious session that you never logged in, you can revoke back the access in just one click.
Breach Isn’t Connected to the Hacker Who Pledged to Delete Zuckerberg’s Personal Page
A Taiwanese hacker, Chang Chi-Yuang, claimed that he would demonstrate a critical zero-day vulnerability in Facebook by broadcasting himself hacking Mark Zuckerberg’s Facebook page on Sunday. But Facebook believes that the new security breach has nothing to do with Chang’s hack. Besides he says he canceled the stream and reported the bug to Facebook.
Facebook Faces Class-Action Lawsuit Over the Massive Hack
After the breach two residents, Carla Echavarria from California and another from Virginia, filed a class-action complaint against Facebook in US District Court for the Northern District of California. They alleged that Facebook failed to protect their data from going into wrong hands due to its lack of proper security practices.
Facebook has reset account logins for tens of millions of users and is also advising affected users who had Instagram or Oculus accounts linked to their Facebook account to de-link and then link those accounts again so that the access tokens can be changed.
The vulnerabilities exploited by the hackers are fixed, and Facebook is working with the FBI to investigate the security incident, which has impacted approximately 2.5% of Facebook users of its over 2 billion users.