In the biggest-ever security breach of privacy and data, Facebook on Friday admitted that hackers broke into nearly 50 million users’ accounts by stealing their “access tokens” or digital keys.
This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts, Facebook said in a statement.
Access tokens are the equivalent of digital keys which allows a user to stay logged in on Facebook for a long period of time, so they do not need to re-enter their password every time they use the application.
“Our investigation is still in its early stages. But it is clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to somebody else,” Facebook said in a statement.
Facebook security team discovered the security issue on Tuesday, and it has now fixed the vulnerability and informed the law enforcement.
“We have reset the access tokens of nearly 50 million accounts we know were affected to protect their security. We are also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. Therefore, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” Facebook said in a statement.
“For the time being We are turning off the ‘View As’ feature while we conduct a thorough security review,” Facebook said.
This attack exploited the complex interaction of multiple issues in Facebook code.
“The attackers not only wanted to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” it said.
Facebook said, they don’t know who is behind this massive security attack or where they are based.
“We’re working hard to better understand these details and “we will update this post when we have more information, or if the facts change,” said the company.
“If you’ve been logged out of your account and asked to sign back in, it’s because we’ve discovered a security issue and are taking immediate action to protect people on Facebook” Facebook tweeted.