Facebook says nearly 50 million accounts impacted by security breach

By published

Facebook has reset access tokens for around 90 million people in response to the breach.

Facebook today revealed that more nearly 50 million accounts have been affected by a "security issue." Discovered by Facebook's engineering team on September 25, the issue allowed attackers to take over people's accounts by stealing Facebook access tokens.

From Facebook:

Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app.This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted "View As." The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

In response, Facebook has reset the access tokens of the nearly 50 million accounts that it is aware were affected by the breach. Further, the company says it is resetting tokens for an additional 50 million accounts as a precautionary measure.

As a result, people who have had their security tokens reset will have to log back into the Facebook and any of the Facebook apps they were previously logged into.

Given the avenue of attack, Facebook has also opted to turn off the "View As" feature as it conducts a security review. Currently, there's no indication as to who was behind the attack, but Facebook says it has reached out to law enforcement and has fixed the vulnerability.

Facebook, Privacy, and You: The Ultimate Guide

Dan Thorp-Lancaster
Dan Thorp-Lancaster

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.
18 Comments
  • what u get for having a robot in charge :P
  • LoL! 🤩
    Zuckerberg do look like a clean cut robot!
  • And people still use it for things other than casual promotion lol
  • ... And once again the average person won't care. They will make some lame excuse to themselves and keep on posting all their private data.
  • Ignorance is bliss in fb world! 🗺
  • i wonder how much persons that comment on WindowsCentral have a facebook account?
  • Interesting! Why don't you start that topic at the forum?
  • Yeah, I'd like to know that too.
  • I deleted my account two weeks back.
    🤗
  • Haven't been on my Facebook account in months
    😏
  • Is it a regional attack or global?
  • Global...
  • And to think that many people I know still consider Facebook to be way more secure and privacy-oriented than Microsoft and their online services... It's kind of scary.
  • Facebook is a spy hub, if not by hackers, then by NSA...
  • I would expect all account access tokens to be reset.
    Why only an additional 50 million?
    Facebook must get lots of complaints from users about "having to log in again"!
  • There's no bullet proof security. The best avenue is figuring out what to do one a beach has been detected. Also having a team that regularly hunts down active breaches is paramount. In this regard I commend FB in what they do. They found a hole, fixed it, and informed it's users. Security is a two way street. Consumers need to turn on FB's privacy settings. They are there and are accessible.
  • Well, if not because it needed to login to other apps (the other idiot stubborn developer that still want to use Facebook to signing up/log-ins), I've already deleted my account... Sigh...
  • lol