Identity access tokens stolen affecting nearly 50-million facebook accounts

About an hour ago, Facebook reported that it has discovered a security breach affecting nearly 50-million accounts, and that it’s not yet clear whether any information was accessed, or any accounts were otherwise misused. Historic City News is following this latest breach and will update the article as new information is released.

The vulnerability that caused the breach was found Tuesday and was fixed on Thursday night, Facebook says. The company is working with the FBI and investigating. That process is “still in its early stages,” the company said.

“We do not yet know if any of the accounts were actually misused,” Facebook CEO Mark Zuckerberg told reporters on Friday. “This is a really serious security issue, and we are taking it really seriously.”

Mark Zuckerberg

Here’s what we do know at this hour, because of the breach, attackers could gain access to a user’s account — hypothetically giving them the ability not only to view information, but to use the account as though they were the account holder.

One example was the personal facebook of Florida Governor Rick Scott. Historic City News editor Michael Gold received several communications pretending to be from Scott until an facebook messenger post looked peculiar. The posts have been frozen by Facebook until the identity of the sender is verified.

Facebook does not know who carried out the attacks or where they were based. They know the attackers attempted to access profile information, but not whether they succeeded; they do not yet have evidence that the attackers accessed private messages or posted to accounts.

The attack involved stealing “access tokens.” Facebook explains:

“[A]ttackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Facebook Security

Nearly 50 million accounts are known to be affected, and have had their access tokens reset. An additional 40 million accounts have had their tokens reset as a “precautionary step.”

“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” Facebook says. “After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”

Facebook Security

The “View As” feature has also been temporarily turned off, pending a security review.

The vulnerability that made the attack possible was caused by multiple bugs in Facebook’s code interacting; it was introduced in July 2017. At some point attackers discovered the vulnerability and began exploiting it.