Facebook Admits Security Breach Affecting 50 Million Accounts
Facebook has apologized for a “security issue,” after discovering that hackers used a vulnerability in the platform’s code to steal other users’ ‘access tokens’ and log into their accounts. 50 million accounts were affected.
In a statement released Friday, the company said that attackers could use Facebook’s “view as” tool – which lets a user see what their profile looks like to other users – to steal other users’ access tokens – digital keys that allow a user to stay logged into the social network without re-entering their password every time.
The issue was discovered by Facebook engineers on Tuesday, and Facebook said on Friday that it’s fixed the vulnerability, reset 50 million affected users’ access tokens, and informed law enforcement. The company reset a further 40 million users’ tokens as a precaution, bringing the total number of accounts affected in some way to 90 million.
BREAKING: Facebook admits security breach affected 50million accounts – attackers stole Facebook access tokens that they "could then use to take over people's accounts" pic.twitter.com/KCWSkzbk2G
— Sean Keach (@SeanKeach) September 28, 2018
“We have yet to determine whether these accounts were misuses or any information accessed,” read Facebook’s statement. “We also don’t know who’s behind these attacks or where they’re based,” the statement continued.
The company then repeated a phrase it’s used repeatedly in 2018: “we’re sorry.” Facebook’s year of apologizing began in March when it was revealed that some 90 million users had their private data – including their personal messages – leaked to political research firm Cambridge Analytica.
From there, the company has been rocked by scandal after scandal, including multiple accusations of privacy infringement and politically-motivated censorship, and CEO Mark Zuckerberg found himself hauled in front of Congress in the US and the European Parliament in Brussels to assure lawmakers that his company takes privacy seriously.
Facebook’s latest privacy breach comes only one day after the social media behemoth confirmed that it uses phone numbers – provided by users for authentication and security purposes – to target advertisements.
The company admitted that it shares “shadow contact” information, such as a phone number provided to Facebook for security reasons but not publicly displayed on a user’s page, or phone numbers of users’ friends, to advertisers. One year beforehand, Facebook denied this practice.
“At this point I consider Facebook a criminal enterprise. Maybe not legally, but morally” https://t.co/BrZ7Yeq5Jw
— DHH (@dhh) September 27, 2018
This is a great time for FB to bury bad news #KavanaughHearings
— Olivia Solon (@oliviasolon) September 28, 2018