On Tuesday, 25th September 2018, Facebook Team released security notice to all users on security breach occurred on Facebook platform. Findings have revealed that unknown malicious actor hacked the site and managed to compromise about 50 million users’ accounts.
Earlier investigation revealed that, the breach was caused by security vulnerabilities that were persisting in Facebook source code. Due to that, attacker was able to exploit the vulnerabilities and be able to impact “VIEW AS” a feature on Facebook that let users see how their own profile looks like to someone else. Following the exploitation, the attacker was able to steal Facebook access-tokens and thereafter taking control of users’ accounts.
Access-tokens are equivalent to digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the application.
The source of vulnerabilities was a change that was effected by Facebook Team on video uploading feature in July 2017, which impacted “View As” feature.
Facebook Security Team is yet to establish whether there is any misuse of compromised accounts or disclosure of users’ information.
Until now, Facebook security team has implemented a number of security measures to address the matter which includes the following:-
a. Fixed the vulnerabilities and informed law enforcement on security breach for appropriate legal actions.
b. Reset the access tokens of the almost 50 million accounts known to be affected to protect their security.
c. Took the precautionary measure to reset access tokens for another 40 million user accounts that have been subject to a “View As” look-up in the last year. In view of this action, about 90 million users will now have to log back in to Facebook, or any of their apps that use Facebook username and password to login. On successful log back in, users will get a notification at the top of their News Feed explaining what happened as shown in the figure below.
d. Temporarily turned off the “View As” feature while conducting a detailed security review.
5. Important to users
Following security measure undertaken by Facebook Security Team, there is no need for users to change their passwords. For those who are facing difficulties to log back into Facebook application i.e. forgotten their password or any other reasons should visit Facebook Help Center.
And in case anyone wants to take the precautionary measure to log out of Facebook, they should visit the “ Security and Login” section in settings.