This week, Facebook suffered a major breach, which left millions of accounts vulnerable to an outside, malicious attack.
On Friday, Facebook officially announced that hackers accessed the Facebook network on Tuesday. According to the post “nearly 50 million” accounts are affected by the illegal intrusion. The company also revealed that the hackers were able to gain access via the platform’s “View As” code. That particular feature allows Facebook users to see how their Facebook profile appears to folks who look at it.
The hackers gained Facebook’s access tokens, which are individual codes that allow Facebook users to remain logged in.
“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
At this point, Facebook says that it has informed law enforcement of the situation and has already patched the vulnerability. Facebook does not make it clear if the accounts in question have had any personal information stolen or otherwise obtained, or how those accounts might be misused in the future.
The social network has reset the access tokens to the nearly 50 million accounts that were affected by the breach. The company also confirmed it took precautions with an additional 40 million accounts that were accessed with the View As feature within the last year.
Finally, Facebook says that no one needs to change their passwords.[via Facebook]