Hackers have exploited a security vulnerability they have found on the website. Facebook has said in their blog post that they have discovered a bug which is part of the site’s “View As” feature that let a user see their profile as someone else. As of this writing, the feature has been turned off.
As per their blog, it states that the said bug allowed hackers to obtain account access tokens. Said tokens are used to keep users logged in when they enter their username and password. Basically a stolen token can allow hackers to break into accounts.
As a preventative measure, Facebook has reset access tokens of all affected users, and 40 million more as a caution. Approximately 90 million users will have been logged out over the past day or so. Users are notified in their news feed once they log back in.
They are still investigating whether these accounts were misused or any other information was accessed, and who are behind the attack and where they are based. It got noticed when the started automating their attack on a large scale. The attackers tried to access account information by querying its developer APIs, which Facebook had already locked down.
The vulnerability, which was a result of three distinct bugs, was introduced in July 2017, when Facebook created a new video upload functionality on the service. On September 16, 2018, Facebook discovered unusual activity and launched an investigation that same week. On Tuesday, September 25, it uncovered the attack. It then notified law enforcement on Thursday, September 27, in the afternoon.
The FBI is now involved with the investigation since users in Europe are also affected. Data protection authorities in Ireland were notified due to the fact that it is where the company’s European Headquarters are located.
The Irish Data Protection Commission has asked Facebook to clarify the breach “urgently.” If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.
With this recent attack on Facebook, the company is now leaning towards a more slower and more cautious approach with how things are done. With 2.2 billion monthly active users, attackers are more than hungry to obtain information they can use at their disposal. Information is power and everybody knows that. It just depends on who is holding on to that power that becomes dangerous.