What Happened?
Facebook on Friday disclosed a breach of its network that affected almost 50 million user accounts. The social networking giant said that attackers exploited a vulnerability in Facebook’s code that let them steal access tokens – digital keys that are used to keep users logged in when they enter their username and password. It only happened to people who previously used a feature called “View as” – it gives you the ability to see what your profile looks like to somebody else, for the purpose of seeing how much information about you on Facebook is shared with strangers. The access tokens allowed the attackers to take over user accounts, however, it’s still unclear whether user data was accessed and misused.
How Facebook is trying to protect you
Facebook said it has secured its network and affected user accounts since engineering discovered the attack on September 25. The bug was fixed and Facebook said it has notified law enforcement.
Meantime, the company has reset the access tokens on all of the affected user accounts, as well as on another 40 million accounts that were subject to a “View As” look-up in the last year.
Anyone impacted by the reset will need to log back into Facebook and on any apps that use Facebook Login (common ones include Airbnb, Facebook Messenger, music streaming services, and more). Once logged back in, affected users will see a notification at the top of News Feed alerting them to the incident. Facebook has also disabled the “View As” feature while it conducts a security review.
Security implications
Taking over a session cookie will not let an attacker access your password. It may still be a good idea to change the password, especially if you use the same password somewhere else. Technically, the stolen “cookies” could allow hackers to access your Facebook account but Facebook claims it hasn’t happened. Regardless, if you were logged out and had to log in again, your session cookie became invalid and rather useless to the hackers.
It doesn’t look like there is much to worry about now, at least until we get more reports but better be safe than sorry! If you think your computer might need a security check-up, you can contact us.