Massive Facebook Data Breach: What You Need to Know and Do ASAP
On Friday, tens of millions of Facebook users tried to see what their friends had shared only to find out that they had been mysteriously logged out of their accounts. After logging back in, they learned what the reason was – they were affected by a vulnerability that could have resulted in a complete account takeover.
The hole was first spotted on September 16 when Facebook's security people noticed a spike in the number of queries sent to one of the social media's APIs. There's no information on whether or not this spike is connected, but after an investigation, they found three separate bugs which, if combined, could have given attackers full access to a user's profile.
Worse than that, they realized that hackers had actually found the bug before them and had exploited it. Without losing time, they patched the vulnerability, informed law enforcement, and told the public what had happened.
Facebook logged me out of my account on Friday. Does that mean that I should change my password?
That won't be necessary. The account takeover vulnerability relied on stealing access tokens, not passwords. The access token is what allows you to stay logged in on both your mobile device and on your browser without having to enter your login credentials every time you want to scroll through your newsfeed. By logging you out of your account on all your devices, Facebook's security team effectively invalidated all your access token which means that even if someone currently has them, they won't be able to use them. If Facebook hasn't logged you out of your account, it doesn't think that you're in any immediate danger.
How were the access tokens stolen?
The vulnerability was introduced in July 2017 when Facebook launched a new version of its video uploader, but curiously enough, the flaw was exploited through a completely different functionality – the View As feature.
The View As feature, as the name would suggest, lets you learn how many of the things you share your ex-significant other (or anyone else) can see. In a conference call with reporters, Guy Rosen, Vice President of safety and security, said that when in View As mode, you shouldn't see Facebook's video uploader at all. Due to a bug, however, it did appear on some rare occasions. Its appearance triggered another bug which generated an access token that gave virtually unlimited permissions. The third and final bug resulted in the generation of the wrong access token – not the one for your account, but the one for the profile of your ex-better half.
How big was the attack?
On Friday, Facebook logged 90 million people out of their accounts in order to invalidate their access tokens. 50 million of those had their tokens stolen by hackers, and the rest were logged out just to be on the safe side.
Although the number of affected accounts represents a relatively small portion of Facebook's 2.2 billion active users, it's not to be sniffed at. Furthermore, it serves as proof that with massive online platforms like Facebook, when things go wrong, they go badly wrong for many people.
What did the hackers steal?
An active access token gives an attacker the ability to do everything the account owner can do. Basically, all information available in an account (safe for the owner's credit card details) can be illegally obtained. Facebook's officials admit that it's still too early to say for sure, but so far, there's been no evidence of any data misuse. With that said, the scale of the attack was significant, and its nature suggests that it was carried out by a group of sophisticated hackers rather than a handful of script kiddies.
Facebook's investigation is ongoing, and we'll make sure to update you with further results the moment they become available. In the meantime, the most important question remains.
What can I do to protect myself?
In short, not much. There's no evidence of your password being compromised, so changing it is not really necessary, and the patch that was deployed last week has, in theory, stopped the attack in its tracks.
Facebook has made a few mistakes when it comes to users' privacy in recent months, though, which goes to show that one of the few things you can do is think carefully about whether you believe your data is in safe hands with Mark Zuckerberg's people. If you decide that you do want to continue using Facebook, you might want to review how much information is available on your profile. After all, your data can't be stolen if it's not there.