In a huge security beach, as many as 50 million Facebook accounts were recently broken into by hackers, the social media giant admitted on Friday. Facebook said the hackers executed this security breach by stealing “access tokens” or digital keys.
Access tokens are the equivalent of digital keys that keep accounts logged in to Facebook on the devices people use, sparing them the ritual of re-entering password every time they use the app.
“It’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Guy Rosen, VP, Product Management, said in a statement.
The users affected by the breach are spread across the world, it is believed. The company has not given country-wise data of the affected user accounts, but a number of them could be from India since Facebook has the maximum 270 million users in this country.
“We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more,” Facebook CEO Mark Zuckerberg said in a post.
The security breach was discovered by the Facebook security team on September 25, and Facebook says it has now fixed the vulnerability and informed the law enforcement.
Listing the steps taken to address the issue, Zuckerburg has said the access tokens for the 50 million Facebook accounts have been invalidated, causing the users to log out. “These people will have to log back in to access their accounts again. We will also notify these people in a message on top of their News Feed about what happened when they log back in,” his post reads.
Zuckerberg adds: “As a precautionary measure, even though we believe we’ve fixed the issue, we’re temporarily taking down the feature (View As) that had the security vulnerability until we can fully investigate it and make sure there are no other security issues with it.”
In an additional precautionary measure, Facebook is logging out everyone who used the View As feature since the vulnerability was introduced. “This will require another 40 million people or more to log back into their accounts. We do not currently have any evidence that suggests these accounts have been compromised, but we’re taking this step as a precautionary measure,” says the post.
The company has 2 billion global users.
Facebook says it does not know who is behind this massive security attack or where they are based.
“We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens,” Guy Rosen has said in the statement.
Giving technical details about the latest breach, Pedro Canahuati, VP, Engineering, Security and Privacy, has explained in a separate post the vulnerability was a result of the interaction of three distinct bugs.
“View As is a privacy feature that lets people see what their own profile looks like to someone else. View As should be a view-only interface. However, for one type of composer (the box that lets you post content to Facebook) — specifically the version that enables people to wish their friends happy birthday — View As incorrectly provided the opportunity to post a video,” he says.
Explaining the second bug, the post says, “A new version of our video uploader (the interface that would be presented as a result of the first bug), introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.”
About the third bug, Canahuati says, “When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.”
These three bugs combined resulted in the vulnerability.
In the Cambridge Analytica scandal that hit Facebook earlier, data of nearly 87 million people had been breached upon.
In his statement, Mark Zuckerburg has admitted that Facebook needs “to continue developing new tools to prevent this from happening” again.