Facebook security breach allowed hackers to control the accounts of up to 50 million users

Facebook security breach allowed hackers to control the accounts of up to 50 million users

Facebook discovered a security issue that allowed hackers to access information that could have let them take over around 50 million accounts, the company announced on Friday.

Following the disclosure, shares of Facebook extended midday losses and ended trading 2.5 percent down.

By Michelle Castillo September 28, 2018 CNBC.com

Facebook discovered a security issue that allowed hackers to access information that could have let them take over around 50 million accounts, the company announced Friday.

"This is a very serious security issue, and we're taking it very seriously," said CEO Mark Zuckerberg on a call with reporters.

Facebook shares, which were already down about 1.5 percent before the announcement, extended losses after the disclosure and ended down 2.6 percent.

The company said in a blog post that its engineering team found on Tuesday that attackers identified a weakness in Facebook's code regarding its "View As" feature. Facebook became aware of a potential attack after it noticed a spike in user activity on Sept. 16.

"View As" lets users see what their profile looks like to other users on the platform. This vulnerability, which consisted of three separate bugs, also allowed the hackers to get access tokens — digital keys which let people stay logged into the service without having to re-enter their password — which could be used to control other people's accounts.

Almost 50 million accounts had their access tokens taken, and Facebook has reset those tokens. The company also reset tokens for an additional 40 million accounts who used the "View As" feature in the last year as a precautionary measure, for a total of 90 million accounts. Facebook had 2.23 billion monthly active users as of June 30.

The reset will require these users to re-enter their password when they return to Facebook or access an app that uses Facebook Login. They will also receive a notification at the top of their News Feed explaining what happened.

In addition, the company suspended the "View As" feature while it reviews its security. Facebook said it fixed the issue on Thursday night and has notified law enforcement including the FBI and the Irish Data Protection Commission in order to any address General Data Protection Regulation (GDPR) issues.

Facebook said it has just begun its investigation and has not determined if any information was misused, but the initial investigation has not uncovered any information abuse. The hackers did query Facebook's API system, which lets applications communicate with the platform, to get more user information. The company is not sure if the hackers used that data, nor does it know who orchestrated the hack or where the person or people are based.

The company said there is no need to change passwords. If additional accounts are affected, Facebook said it will immediately reset those users' access tokens. Facebook is doubling the number of employees who are working to improve security from 10,000 to 20,000, the company reiterated.

"Security is an arms race, and we're continuing to improve our defenses," Zuckerberg said. "This just underscores there are constant attacks from people who are trying to underscore accounts in our community."

Zuckerberg addressed the issue in a Facebook post on his account. Read it below:

I want to update you on an important security issue we've identified. We patched the issue last night and are taking precautionary measures for those who might have been affected. We're still investigating, but I want to share what we've already found:

On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people's accounts on Facebook.

We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.

We've already taken a number of steps to address this issue:

1. We patched the security vulnerability to prevent this attacker or any other from being able to steal additional access tokens. And we invalidated the access tokens for the accounts of the 50 million people who were affected – causing them to be logged out. These people will have to log back in to access their accounts again. We will also notify these people in a message on top of their News Feed about what happened when they log back in.

2. As a precautionary measure, even though we believe we've fixed the issue, we're temporarily taking down the feature that had the security vulnerability until we can fully investigate it and make sure there are no other security issues with it. The feature is called "View As" and it's a privacy tool to let you see how your own profile would look to other people.

3. As an additional precautionary measure, we're also logging out everyone who used the View As feature since the vulnerability was introduced. This will require another 40 million people or more to log back into their accounts. We do not currently have any evidence that suggests these accounts have been compromised, but we're taking this step as a precautionary measure.

We face constant attacks from people who want to take over accounts or steal information around the world. While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place. If you've forgotten your password or are having trouble logging in, you can access your account through the Help Center.

https://www.cnbc.com/2018/09/28/facebook-says-it-has-discovered-security-issue-affecting-nearly-50-million-accounts-investigation-in-early-stages.html