Social media giant Facebook is the latest major tech company to be hit with a significant data breach, revealing over the weekend more than 50 million accounts were affected by a login vulnerability in the company’s code.
In a blog post on Saturday, Facebook’s vice president of product management Guy Rosen alerted users to the vulnerability, which had only been discovered three days earlier.
The vulnerability affected a feature of Facebook known as ‘view as’, where users can see their profile as it would look to a member of the public, or as a specific member of their friends list. The vulnerability was only detected after the Facebook team saw an unusually high increase in the number of people using the ‘view as’ feature.
By exploiting this feature, attackers were able to extract users ‘access tokens’ for their accounts, and the accounts of anyone they were friends with. Access tokens are akin to ‘digital keys’, and are what Facebook uses to keep users logged into their accounts without the need to continuously enter their usernames and passwords.
Access tokens can also be used to login to third-party applications using Facebook Login, such as websites like eBay and Pinterest. Facebook founder Mark Zuckerberg’s account was one of the millions affected by the breach, reports Quartz.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” Rosen said.
After finding the vulnerability, Facebook logged out the 50 million affected users from all instances of Facebook, along with any third-party apps they were logged into.
However, a further 40 million accounts were also logged out, with the company taking precautions for any account where the ‘view as’ feature was used since July 2017. This means over 90 million accounts were logged out by the social media giant in response to the vulnerability.
What does this mean for users?
Unlike other data breaches which have affected tech giants such as Yahoo and Uber, Facebook’s issue wasn’t strictly a data breach, as users’ personal data such as usernames, passwords and credit card details were not revealed.
Michael McKinnon, cybersecurity expert and manager at HackLabs, tells SmartCompany evidence of an actual data breach as a result of the access token vulnerability is yet to be seen, but believes there’s likely more to come on this story yet.
“This is more like someone leaving the front door unlocked but no one actually going into your house and taking anything. It may not be a breach, but it certainly is a vulnerability,” he says.
“I would suggest there’s more news to come on this and Facebook’s only in the early days of its investigation.”
In the announcement, Rosen specified Facebook was only in the early days of its investigation and was “yet to determine whether these accounts were misused or any information accessed”. The company also specified it didn’t know who was behind the attacks, or where they were based.
At this point, neither Facebook nor McKinnon knows how this will play out for affected users, with McKinnon calling it “mysterious”, and saying it may mean absolutely nothing or we may find out numerous accounts were breached as a result.
“If it becomes evident that accounts were accessed and data was potentially compromised, people will be concerned depending on their personal context,” McKinnon says.
“Data breaches can be hugely contextual, and it depends on your individual circumstances, such as if you were in a violent relationship and your partner was stalking you, having your personal details available online could be extremely dangerous.”
As for any action users can currently take, there’s not a lot to be done says McKinnon, due to the unique nature of the vulnerability. He advises users to make sure you’re using strong and diverse passwords across all your online accounts.
SmartCompany contacted Facebook Australia and was referred to Rosen’s statement as the latest on the issue.
Notice anything unusual with your Facebook account since the breach? Get in touch at [email protected]