Facebook security breach impacts 50 million users

File photo

Facebook says it recently discovered a security breach affecting nearly 50 million user accounts.

Posted: Sep 28, 2018 3:49 PM

NEW YORK — Facebook says it recently discovered a security breach affecting nearly 50 million user accounts.

In a blog post , the company says hackers exploited its “View As” feature, which lets people see what their profiles look like to someone else. Facebook says it has taken steps to fix the security problem and alerted law enforcement.

To deal with the issue, Facebook reset some logins, so 90 million people have been logged out and will have to log in again. That includes anyone who has been subject to a “View As” lookup in the past year.

Facebook says it doesn’t know who’s behind the attacks or where they’re based.

The hack is the latest security headache for Facebook, which has been dealing with political disinformation campaigns from Russia and elsewhere since 2016.

Guy Rosen, VP of Product Management for Facebook, issued this statement:

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Here is the action we have already taken. First, we’ve fixed the vulnerability and informed law enforcement.

Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.

People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the “Security and Login” section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.

Terre Haute
Clear
50° wxIcon
Hi: 65° Lo: 47°
Feels Like: 50°
Robinson
Partly Cloudy
46° wxIcon
Hi: 63° Lo: 46°
Feels Like: 46°
Indianapolis
Clear
51° wxIcon
Hi: 61° Lo: 47°
Feels Like: 51°
Rockville
Clear
48° wxIcon
Hi: 66° Lo: 46°
Feels Like: 48°
Casey
Partly Cloudy
54° wxIcon
Hi: 62° Lo: 46°
Feels Like: 54°
Brazil
Clear
50° wxIcon
Hi: 65° Lo: 46°
Feels Like: 50°
Marshall
Clear
50° wxIcon
Hi: 64° Lo: 44°
Feels Like: 50°
More Clouds Overnight
WTHI Planner
WTHI Temps
WTHI Radar

WTHI Events

 

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Cases: 1343875

Reported Deaths: 24410
CountyCasesDeaths
Cook5380959996
DuPage893431270
Will74435981
Lake66368977
Kane57580768
Winnebago32526469
Madison30250518
McHenry28156284
St. Clair27650510
Peoria22686297
Champaign20373144
Sangamon18437233
McLean17818175
Tazewell16675277
Rock Island14720306
Kankakee13954207
Kendall1282791
LaSalle12286239
Macon10575194
DeKalb9728119
Vermilion9366131
Adams8345120
Williamson7340128
Whiteside7100166
Boone661671
Ogle601480
Grundy579771
Clinton574190
Coles564494
Knox5484139
Jackson495663
Henry487963
Livingston475184
Effingham470672
Stephenson466881
Macoupin466081
Woodford465474
Marion4447115
Franklin439872
Monroe434791
Jefferson4232119
Randolph411984
Lee410552
Morgan384180
Fulton382251
Logan381657
Montgomery368773
Bureau365882
Christian362073
Fayette315855
Perry314159
Iroquois296465
McDonough276345
Jersey268349
Douglas257435
Saline255153
Lawrence239925
Shelby227737
Union224240
Crawford210826
Bond201924
Cass197524
Jo Daviess179824
Pike178451
Clark178032
Warren177846
Wayne175852
Ford175446
Hancock174231
Richland173640
Carroll173536
White168726
Edgar168339
Washington163525
Moultrie159726
Clay148243
Mason147944
Piatt145814
De Witt145424
Mercer143833
Greene143233
Johnson141214
Wabash134212
Massac132940
Cumberland128819
Menard121512
Jasper114818
Marshall103218
Hamilton82915
Schuyler7305
Brown6996
Pulaski6837
Stark63023
Edwards56712
Henderson52214
Calhoun5152
Scott4761
Putnam4733
Alexander46511
Gallatin4574
Hardin38312
Pope3144
Out of IL70
Unassigned02344

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Cases: 724214

Reported Deaths: 13363
CountyCasesDeaths
Marion989071736
Lake53172962
Allen40223675
Hamilton35354408
St. Joseph35270550
Elkhart28228437
Tippecanoe22297217
Vanderburgh22231396
Porter18560304
Johnson17832376
Hendricks17098313
Clark12897191
Madison12519339
Vigo12379244
Monroe11811168
LaPorte11691210
Delaware10571185
Howard9823215
Kosciusko9347117
Hancock8204139
Bartholomew8036155
Warrick7754155
Floyd7630176
Wayne7002198
Grant6986174
Boone6652101
Morgan6529139
Dubois6139117
Marshall5954111
Dearborn577177
Cass5769105
Henry5671102
Noble555783
Jackson499672
Shelby488196
Lawrence4470120
Gibson433791
Harrison432972
Clinton426353
DeKalb423284
Montgomery423088
Whitley392739
Huntington386380
Steuben381057
Miami379165
Knox370990
Jasper361347
Putnam357760
Wabash352478
Adams340354
Ripley338370
Jefferson328481
White312254
Daviess294399
Wells290281
Decatur282992
Fayette278362
Greene276085
Posey270733
Scott264453
LaGrange263870
Clay258945
Randolph239581
Washington239131
Spencer230431
Jennings228848
Starke213252
Fountain211846
Sullivan210442
Owen195856
Fulton194240
Jay190429
Carroll187820
Perry182537
Orange181854
Rush172625
Vermillion167643
Franklin167235
Tipton161945
Parke145416
Blackford134332
Pike132634
Pulaski115945
Newton106734
Brown101441
Crawford99014
Benton98114
Martin87415
Warren80515
Switzerland7808
Union70610
Ohio56211
Unassigned0413