Sophos News

Big Facebook data breach: 50 million accounts affected

  • Anna Brading

    • Facebook has suffered a data breach affecting almost 50 million accounts. Another 40 million have been reset as a “precautionary step”.

    What’s happened?

    In a post on the site earlier today, Facebook’s VP of Product Management, Guy Rosen, said that the breach was discovered on Tuesday 25 September.
    Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.
    Rosen says the vulnerability is now fixed.

    We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.

    Those affected will now have to log back into Facebook, and any apps that use Facebook Login.
    Facebook has also turned off the “View As” feature while it investigates. This function allows you to see what a particular friend, or people you aren’t friends with, can see on your profile, such as old profile photos or posts.
    It’s still early days but Facebook says it looks like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.
    Facebook says it doesn’t yet know if any accounts were misused or information was accessed.
    But access tokens are what Facebook uses to authenticate you, so if you were affected you should assume that the attackers had access to all of your data – anything you can see, read, download or change when you log in to Facebook.
    Serious bugs in Facebook are nothing new – we report on them all the time – but we normally hear about them through the company’s bug bounty program.
    Facebook doesn’t know who was behind this attack, or why they did it, but whoever did it passed up on some very lucrative bounties.

    What to do?

    If you’ve been forcibly logged out by Facebook, then the forced logout will automatically have invalidated any existing access tokens for your account.
    Rosen says there’s no need for anyone to change their passwords.
    (Access tokens are generated randomly after Facbook has gone through the process of validating your password when you login. There’s no way to work backwards from an access token to recover your password.)
    Whether you’re affected or not, as a precautionary measure you can choose to log out of all your Facebook sessions as described below.
    The process can be quite cumbersome so please read through the instructions fully.

    LOGGING OUT OF
    ALL FACEBOOK SESSIONS

    LOGGING OUT FULLY VIA YOUR BROWSER

    If you have numerous sessions listed you will find a Log Out Of All Sessions option at the bottom of the list. This brings up a popup with a Log Out button. If not, you can log out of individual sessions by clicking on the three-dots icon on the right and choosing Log Out for each one. If you think that any of the sessions shown in your logged-in list weren’t connections from a device of your own, follow Facebook’s instructions by clicking on Secure Your Account or Not you?
    Note that even after using Log Out Of All Sessions, your current session rather confusingly still shows as Active Now.

    After this final step you should be dumped back to the main Facebook login page.

    LOGGING OUT FULLY VIA THE APP ON YOUR PHONE

    From here, follow the relevant part of the “via your browser” procedure described above to log out of all sessions, except for the current one that will still show as Active Now.

    A popup will ask, “Are you sure you want to log out?” – if you choose Log Out, the app should dump you back at the main Facebook login screen.