Facebook has announced that a combination of bugs allowed hackers access to at least 50 million and perhaps as many as 90 million private profiles.
Due to a combination of bugs with the ‘View as’ and video upload features, it seems that every account on the website was at risk, with at least 50 million and potentially up to 90 million “directly affected”.
According to the security note Facebook posted on Friday morning, the breach was enabled by a vulnerability in Facebook’s “View As” feature – somewhat ironically, a feature typically used for privacy purposes, by allowing users to see how their profile looks to others. The vulnerability allowed hackers to steal Facebook access tokens, therefore allowing them to log into the targeted account without having to enter a password.
The access tokens could also be used to log into connected third-party apps and websites, including Instagram.
During a press call, VP of Product Management Guy Rosen said that the vulnerability was introduced in July 2017, and that the first sign of it being exploited was spotted on September 16th, in the form of a significant spike in traffic. He said that on September 25th the vulnerability was discovered, following which law enforcement was informed on the 26th and the vulnerability was fixed on the 27th.
Facebook says that it has reset the access tokens of the accounts it knows were “affected”, and has also reset the access tokens of another 40 million which had used the “View as” feature, though many of these may have been legitimate rather than the actions of hackers.
Facebook’s statement on the breach can be viewed here.