50 million Hacked Accounts: The Attack that almost Crippled Facebook

Hackers may have stolen information of 50 million Facebook account holders, the social media giant has disclosed on Friday.

The company said in a statement this evening that the targeted accounts may have been taken over by hackers due to a security flaw.

Facebook said it discovered in the course of the week that the hackers stole some “access tokens” during an attack on its servers.

“It’s clear that attackers exploited a vulnerability in Facebook’s code,” said Facebook’s Vice President of Product Management, Guy Rosen.

THE ATTACK 

On September 25, Facebook’s engineering team discovered a security vulnerability in the app’s “View As” feature that resulted in 50 user million accounts being breached. According to Facebook’s announcement, the attackers were able to steal Facebook access tokens from code attached to the “View As” feature, and leverage the tokens to take over user accounts. (Access tokens are the digital keys that allow users to remain logged in without having to enter their password every time they access their account.)

From Facebook’s announcement:

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."

Facebook says it does not know how much damage has been done as it just started the investigation. It is unaware if the hacked accounts have been misused or if any information was accessed. The company also reports it doesn’t not know who was behind the attacks or where they were based.

Facebook says it has fixed the vulnerability and is temporarily turning off the “View As” feature while it conducts a security review. In addition to announcing the security breach, the company has informed law enforcement.

The access tokens for the 50 million accounts that were hacked have been reset, along with access tokens for an additional 40 million accounts that were subject to a “View As” look-up during the past year (as a precautionary step). The combined 90 million users who have had access tokens reset will have to log back into their accounts as they have been automatically logged out by Facebook.

The company says users who have been logged out will see a notification at the top of their News Feed explaining what happened when they log back in, but the three Marketing Land staff members who had to log back into their accounts did not see any such notification.

Security Concern on Facebook

Facebook’s security issues are an ongoing dilemma. In addition to its own choice to play it fast and loose with user data — a business decision that resulted in the Cambridge Analytica crisis — the company has had to announce multiple security breaches this year. In June, the company apologized for a bug that accidentally set 14 million users privacy status to public without their knowledge. 

In September, it reported a glitch in the system that allowed users with both an app and Facebook Ads account to access Facebook Analytics data of other apps.

Today’s security breach is different as it was an outside force attacking millions of user accounts. This is more in line with the attacks Facebook, Twitter and Google reported in August. Although, even then, the 652 Pages Facebook removed were taken down for coordinated malicious behavior. 

Facebook’s latest security breach is separate from coordinated behavior by bad actors — this is bad actors finding a way into Facebook’s system to hack user accounts and, potentially, use stolen accounts for malicious behavior.

Are we safe? While this question may continue to remain unanswered, we must all be conscious of the amount of information and private content we upload and share via our Facebook accounts.

Credit: Facebook, Marketingland.com