Facebook security issue affects 50M user accounts

According to Guy Rosen, VP of Production Management at Facebook. On Tuesday afternoon, 25 September Facebook engineering team discovered a security issue affecting almost 50M Facebook user accounts.

A flaw in the “View As” feature allowed attackers to steal Facebook access tokens, which could be used to take over user’s accounts. Access tokens are the equivalent of digital keys that allow users to remain logged into Facebook using stole token.

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted the “View As” feature’, Facebook stated on their website.

First, Facebook fixed the vulnerability and informed law enforcement.

Second, Facebook have reset the access tokens of the almost 50 million accounts Facebook know were affected to protect their security. Facebook also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Third, Facebook temporarily turning off the “View As” feature while we conduct a thorough security review.