September 29th 2018
Facebook has revealed a breach that gave hackers the ability to take over users’ accounts. Some 50 million users have been affected, making it the largest breach in the social network’s history. The problem was discovered by Facebook engineers on Tuesday and patched on Thursday.
A spokesperson for the UK’s National Cyber Security Centre (NCSC) said: “We are investigating how this incident has affected people in the UK and advise on appropriate mitigation measures. Users should read the latest advice Facebook has published.”
The spokesperson continued: “Based on current information, we understand that Facebook have we fixed the flaw and disabled ‘view as’. There is no evidence that people have to take action such as changing their passwords or deleting their profiles. However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”
In a conference call with the media on Friday, Mark Zuckerberg said: “I’m glad we found this and fixed the vulnerability. But it definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services face.”
Affected users are being notified and logged out by Facebook, requiring them to log back into their accounts.
The breach was discovered by Facebook engineers on Tuesday 25 September, the company said, and patched on Thursday. Users whose accounts were affected will be notified by Facebook. Those users will be logged out of their accounts and required to log back in.
The attackers stole access tokens – keys that enable users to stay logged in over multiple browsing sessions without having to enter their password every time. By doing this, they can take full control in the same way as a user would, including using Facebook Login to access third-party applications. It is thought that a further 40 million users who have used Facebook’s ‘view as’ tool since July 2017 will be also need to log out in order to protect their access tokens and protect their accounts. ‘View as’ enables users to see what their profile looks like to others.
On the same conference call, Vice President of Product Management Guy Rosen said that Facebook was working with the FBI, but other national security agencies were not mentioned. He said: “The investigation is early, and it’s hard to discover who is behind this, we may never know.” Facebook has also notified the Irish Data Protection Commission under a GDPR requirement to notify data protection authorities within 72 hours if any compromised users are in the European Economic Area.
The company’s shares fell by more than 3% following the revelation.