Embed from Getty Images

If you found yourself signed out of your Facebook account, then you might have been “directly affected” by a data breach that Facebook just announced to the public. A bug discovered earlier this week that used the site’s “View As” feature has left at least 50 million users at risk. (View As is a feature that lets users view their profile as someone else.) The bug let hackers get users’ account access tokens, which are used to keep users logged into their accounts even when they close their browsers. These stolen tokens can let hackers break into accounts. At the moment, Facebook can’t tell if accounts were misused or if any information was accessed. Facebook doesn’t know who are behind the attacks either. The company assures users it has reset access tokens for the 50 million users as well as an additional 40 million that might have been affected. Facebook says it’s informing users of the security incident through a notification on their News Feed once they log back in. Even Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were affected by the hack. 

“So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts,” Zuckerberg told reporters. “But this, of course, may change as we learn more. The attackers used our APIs to access profile information fields like name, gender, hometown, etc. But we do not yet know if any private information was accessed that way,” he said 

During a follow-up conference call with reporters it was found that it also affected users who access other services using Facebook as a log-in, including apps like Tinder, Spotify, Airbnb, and even Facebook-owned Instagram. 

The vulnerability has been around for a while already and was introduced back in July 2017. It was said to be a result of three distinct bugs that surfaced when the service created a new video upload functionality. Facebook discovered unusual activity on September 16, 2018 and launched an investigation, they discovered that the hackers were automating their attack on a “large scale.” The company discovered the attack on September 25 and told law enforcement on September 27. Facebook fixed the vulnerability by Thursday evening.  

Both the FBI and the data protection authorities in Ireland (where the company’s European headquarters are located) have been informed about the breach. The FBI is now investigating and the Irish Data Protection Commission asked Facebook to clarify the breach “urgently” because if it’s found that the company has breached European data protection rules it can face fines of up to four percent of its global revenue. 

To check if your account has been improperly accessed, you can head to your account’s security and login page, that shows where you’ve been logged in. If your access tokens were revoked and had to log in again, you should only be able to see the devices you used to log back in there. If you weren’t affected but want to take precautions, there’s an option to log out all your sessions there, too. Now might also be the time to stop using a single sign-in for your accounts and reset those passwords, if you don’t do this often enough. 

Source: Tech Crunch + Business Insider