Breaking news: There’s been yet another privacy breach at Facebook, where hackers or malicious third parties have stolen data from as many as 50 million people as a result of a widespread security flaw.
“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” Guy Rosen, VP of Product Management, wrote in a blog post.
“It’s clear that attackers exploited a vulnerability in Facebook’s code that impacted 'View As', a feature that lets people see what their own profile looks like to someone else.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
According to Motherboard, Rosen explained in a press call that “The vulnerability itself was the result of three distinct bugs and was introduced in July 2017. It’s important to say—the attackers could use the account as if they were the account holder."
However, Facebook CEO Mark Zuckerberg tried to be as reassuring as possible that the flaw was patched and that Facebook is "taking precautionary measures for those who might have been affected," by forcibly signing out 90 million users who may have been affected and making them manually sign back in.
Additionally, the "View As" feature has been disabled “while it conducts a thorough security review.”
Rosen added: "This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As.'
The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."
Even though this hack is different than the Cambridge Analytica scandal where the personal data of 50 million users was obtained under false pretenses, it's still best to limit what you share on Facebook (or any other social media account) in case a security breach like this ever happens again...which it seems to fairly regularly.