According to Facebook the attackers “used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.”
Then “the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.”
That’s the gist of it. Facebook will inform you if you were affected, so if you don’t get any news you can relax: you should be fine.
Facebook is huge. Most people know it. According to the company itself it has 2.2 billion monthly active users. The mere size of the social network makes any data breach like the Cambridge Analytica one pretty much a disaster. Now Facebook announced that they discovered that their systems got hacked – and the information of 50 million users compromised.
In a post disclosing the hack of a large chunk of their users, Facebook also gave some insights as to how the hack had happened. Apparently a feature that should normally enhance the user’s security – the “View as” one – got exploited. This feature allows people to basically see their Facebook profile the way it looks like to specifically user groups, like colleagues or family members.
Apparently it was possible to circumvent the “read only” setting of this feature and then create a digital token that would allow cyber criminals to access accounts without even having to enter a password. What’s even worse: This token would not only allow access to Facebook but to any page the affected users logged into with their Facebook account, for example Instagram, your local news website, or any other page that would allow this feature.
Facebook reacted fast. They discovered the issue around a week ago and since then fixed the exploit and reset the access tokens of 50 million affected users. That’s not all though: The issue was apparently present since 2017. The social network did not observe any suspicious activity until recently but has nonetheless reset 40 million tokens on top of the 50 million ones, just to be sure. So anyone accessing their profile via “View as” in the last year, got also logged out of Facebook and had to relog in order to reset their token.
Considering how much data Facebook collects – after all that’s how the company makes money – someone having access to probably more than 50 million user accounts is horrendous. If you are afraid that something like this could have happened to you (or may in the future with other online companies) there are a couple of things you can do to protect yourself: