There was a security breach in Facebook two weeks ago that allowed hackers to control 50 million accounts and the company today is sharing more details about the attack. The attackers said to have exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted “View As.”
This allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep users logged in to Facebook, so they don’t need to re-enter their password every time they use the app. Facebook said that it noticed an unusual spike of activity that began on September 14, 2018, and started an investigation.
Again on September 25th, it determined that it was an attack and identified the vulnerability and closed the vulnerability in two days, stopped the attack, and secured people’s accounts by resetting the access tokens. It also turned off the ‘view as.’ However, the company now says that only fewer people were impacted than it originally thought. A total of 30 million were attacked instead of 50 million.
The attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account, so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. Facebook said that in the coming days, it will send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.
The company also clarified that this attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.