A Common Facebook Feature Is the Source of a 30-Million-User Security Flaw
It looks bad, no matter how you view it.
Facebook announced on Friday that approximately 30 million accounts were compromised by a hacker or group of hackers that took advantage of a vulnerability in the site’s source code. This latest security breach enabled the attackers to harvest users’ profile information — like their name, gender, and hometown — and take over those accounts for an unknown amount of time.
Update: The results of a further review published on October 12 revealed that the hack affected fewer accounts than previously disclosed. The story has been updated to reflect the new numbers.
This breach stemmed from Facebook’s “View As” feature, which enables users see how their profiles appear to others. Facebook engineers discovered the security flaw on Tuesday, fixed it, and then notified law enforcement agencies including the FBI, according to a statement.
It’s arguably Facebook’s most serious security problem yet: Because of the scope of control the hackers had over account, it appears worse than even Cambridge Analytica. Meanwhile, Federal Trade Commission Commissioner Rohit Chopra has already put out a short statement saying he will be investigating the matter.
“I want answers,” Chopra declared on Twitter in the wake of the news.
Guy Rosen, Facebook’s vice president of product, writes in the company’s blog post that the “view as” flaw allowed hackers to steal Facebook access tokens that could be used take over people’s accounts.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” Rosen writes.
What Are Facebook Access Tokens?
To close the breach, Facebook has reset the access tokens of roughly 50 million accounts. An additional 40 million accounts were also reset if the “View As” feature was used in the past year. This means roughly 4 percent of Facebook’s 2.2 billion monthly active users had to re-log into their accounts Friday. It’s unclear if people that were not logged out were unaffected.
Facebook executives told reporters Friday that passwords and credit card information were not compromised in this security breach. The company stated that its investigation is in its “early stages” but that it would provide more information at a later date as it discovers details.
“Security is an arms race and we’re continuing to improve our defenses,” said CEO Mark Zuckerberg on the call. “This is going to be an ongoing effort and we’re going to have to keep on focusing on this over time.”
Facebook is currently being investigated by the FBI, SEC, FTC and the Department of Justice for its mismanagement of data in the Cambridge Analytica scandal, when the personal data of 87 million user was used for political means. This most recent breach adds yet more scrutiny to the company’s privacy record.
The breach also caps an unusually bad week of press, even for Facebook. On Monday, the founders of Instagram — one of Facebook’s star products — announced they would be leaving the company. Two days later, WhatsApp founder Brian Acton reiterated his call to delete Facebook in a dishy Forbes interview, citing privacy concerns.
Who is Behind the Facebook Hack?
Sheryl Sandberg, Facebook’s chief operating officer, offered some color around the question on Friday this weay: “While we still don’t know who’s behind these attacks, whether these accounts were misused, or if any information was accessed, we’re logging out around 90 million accounts that might have been affected as a precaution. This is why you might be getting a message that asks you to log in again.”