Facebook recently disclosed that the security of 50 million profiles was compromised when attackers stole “access tokens” that allowed them to break into these accounts.
Facebook discovered the breach Tuesday, Sept. 25, and it reset access tokens, forcing users to log back in to their accounts, on Thursday, Sept. 27. The company disclosed the attack last Friday.
In addition to Facebook accounts, the stolen access tokens may also compromise accounts on any third-party website that uses Facebook Login.
Some people are unsure about what that means for the security of their Facebook accounts, so here’s a breakdown of everything we know.
First, it’s likely that the breach impacted you.
Facebook reset the access tokens of 50 million compromised accounts, and as a precaution, it reset another 40 million accounts that it thinks may have been breached.
By resetting the tokens, Facebook rendered the stolen tokens invalid. Users were forced to reenter their passwords and log back in to their Facebook accounts.
While WhatsApp users are not affected (WhatsApp is owned by Facebook), Instagram users might be, so the company prompted Instagram users to unlink and relink their Facebook accounts.
You don’t necessarily need to change your password, but you should review where you’re logged in to Facebook.
An access token isn’t a password. It’s a string of characters that allows you to stay signed in to Facebook. Access tokens are like “digital keys,” Facebook says, that keep you logged in to your Facebook account even when you’re not actively using Facebook, so you don’t have to reenter a password every time you visit.
There’s not much more you can do about the breach, since Facebook’s already reset these access tokens.
However, you should visit Facebook’s Security settings page (https://www.facebook.com/settings?tab=security) and review the section “Where You’re Logged In.” Click on the icon to the right to log out of your Facebook account on inactive devices.
On an iPhone, you can get to the Security settings page by tapping on menu (bottom right), scrolling down to Settings & Privacy, selecting Settings, and selecting Security and Login.
That said, make sure you have a strong password for your Facebook account and two-factor authentication (via app, not text message) turned on.
You should also review all of the third-party apps where you use Facebook to sign in. They may be vulnerable too.
In Facebook settings, go to Apps and Websites to review all of the third-party apps that use your Facebook credentials to sign in. You should revoke permission to any apps you don’t use anymore.
In addition to that, you should go to those accounts and see if there was any suspicious activity, Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago, told NBC News.
That’s because, according to Polakis, those stolen access tokens could be used to log in to accounts on websites that support Facebook authentication — even if you don’t use Facebook as a log-in.
Over 160,000 websites, including Apegeo, currently use Facebook Login, a tool that allows people to use their Facebook profile to sign up instead of creating a new account. It’s also referred to as “Facebook single sign-on” (or “Facebook SSO” in the tweet below).
As such, looking at the active sessions would not alert the user of the ongoing attack. If this hasn't been fixed by Facebook since our experiments, current advice about looking at active sessions will likely not help you. (5/n)
— jason polakis (@jpolakis) September 29, 2018
In a series of tweets, Polakis explained that, depending on how these websites implemented Facebook Login, hackers could gain access to users’ accounts on every website where Facebook single sign-on is implemented.
In an emailed statement, a Facebook spokesperson wrote, “We provide best practices for developers that use Login and SDKs, which help them detect forced logouts like the ones we did last week to protect people. We are preparing additional recommendations for all developers responding to this incident and to protect people going forward.” She also provided a link to Facebook’s Login Security page for developers. Airbnb, Tinder, Bumble, Hinge, and Getaround — websites that use Facebook Login — did not respond to requests for comment.
A Pinterest spokesperson said, “We are actively working with Facebook to investigate and determine the impact. We’ll keep users posted if there are updates to be aware of.”
A Spotify spokesperson commented, “Spotify has not experienced a security breach. As a precaution, concerned users can update their Spotify password, or if the account was created through Facebook, the Facebook login via their instructions.”
Here’s what caused the breach to begin with: Attackers exploited a vulnerability in the “View As” feature, which lets you see what your profile looks like to other people you’ve friended on Facebook.
“View As” is supposed to be view-only. In other words, you shouldn’t be able to interact with your profile in this mode. However, in one specific case, you could interact with your own profile. One version of View As showed your profile as it would appear on your birthday. In this version, you’d see, “Write [your name] a birthday wish.”
Facebook inadvertently provided the option to post a video for this special birthday version of View As. That video uploader then generated an access token in the website’s HTML for the user that you were viewing your profile as.
This new video upload feature was introduced in July 2017. In mid-September, Facebook launched an investigation after it discovered a spike in users of the new functionality, which is how it uncovered the attack on Sept. 25.
This access token is what allowed attackers to take over your account.
These access tokens can also be used gain complete control of Facebook accounts, but Facebook says that an initial investigation has not shown that the tokens were used “to access any private messages or posts or to post anything to these accounts” so far.
Facebook still has no idea who the attackers are, or where they’re based.
According to Facebook, its investigation is in its early stages, and the company doesn’t know if any accounts were actually accessed using stolen tokens.