Recently another incident came to the surface where hackers have stolen Facebook access tokens of almost 50 million accounts. On 25 September, Facebook engineering team noticed hackers had exploited a vulnerability in its code.
They took advantage of Facebook’s “View As” code flaws, and stolen access tokens which allow users to stay logged in to Facebook Account.
When did this happen?
The security flaws in Facebook’s code first appeared in July 2017, when Facebook made some changes to its “Video Uploading” feature.
Until 16th September 2018, everything seems perfect with no unusual activity until Facebook saw a jump in user access to the website. Then an investigation launched and they discovered this attack by the hackers.
So its pretty clear that the hackers had the chance to exploit the vulnerability in code from July 2017 to Sep 2018.
How did this happen?
As of now, the investigation is in its preliminary stage and according to reports, there are three bugs inside Facebook’s “View As” code. Hackers have stolen these “digital access token keys” to take over people’s account.
As the tokens are digital keys so they don’t need to re-enter the password to gain access to the user’s account.
How many users affected?
It’s not clear how much people are affected, but Facebook has reset the access tokens for nearly 50 million accounts. Still, it’s not clear the purpose of the hack and whether the accounts were misused.
Facebook said they already reset the access tokens, so no need to change your password for now. But for your safety, we suggest you visit Settings -> Security and Login and log out of all devices at once.
How Facebook solved the issue?
The issue has been patched and Facebook has reset accounts for 90 million people. The user’s who are affected will have to log back into their Facebook account including apps that require Facebook Login.
After successful login, they will get information through their notification panel describing what just happened.
For the time being, Facebook temporarily turned off “View As” feature.
What Facebook and Mark Zuckerberg have to say about it?
Facebook and Mark both released an official update on the situation, you can read the official apology here.
Here is what Mark Zuckerberg Said: