Facebook reported its worst security breach on 25 September, in which at least 50 million accounts were compromised and another 40 million were considered to be at risk by the social media network. Mint tells you what you need to know about the breach.
1. What has happened?
Facebook found three bugs in its video uploader, which would occasionally appear when using the “View As" feature. This is a feature that allows you to look at your Facebook Timeline as someone else. Hackers stole access tokens, giving them entry into your account. An access token is a code that identifies the user and allows other apps, browsers, etc., to access your information. This is how your browser keeps you logged in to Facebook despite closing the page. An access token does not store your password, so stealing it doesn’t give hackers your password. Access tokens are also generated by Gmail, Twitter and many other websites.
2. How will you know if you were affected?
Facebook logged 90 million of its users out of their accounts, as a result of resetting their access tokens. According to the company, 50 million users have been affected by the hack and an additional 40 million were logged out because they accessed the “View As" feature since the vulnerability entered Facebook’s code. If you were one of Facebook users affected by the breach, you would have seen a post at the top of your News Feed, notifying you of the breach. Since access tokens do not include passwords, you don’t have to change your Facebook password if you were affected.
3. Has the bug been fixed?
Facebook said the leak was plugged on 27 September, though it is continuing the probe into the matter. Access tokens for affected accounts were reset, but Facebook isn’t sure if personal information was accessed.
4. Are accounts other than Facebook affected?
Technically, yes. Having your access token would let attackers access all websites and apps that use your Facebook account for authentication. That includes food delivery and dating apps and many others. This is why users had to re-log in to those apps as well because the access tokens they had have now been invalidated. You can find information on apps that you have logged into using Facebook from the social network’s own settings. The “Apps and Websites" option will show you this.
5. How is this breach different from the Cambridge Analytica (CA) scandal?
The main difference between this breach and the CA scandal is that this one is an actual hack: there was a vulnerability in Facebook’s software. In the CA scandal, a researcher exploited Facebook’s data-sharing policies for his gain. Facebook hasn’t yet disclosed what information the hackers accessed. If personal information was leaked, Facebook may be punished under GDPR, as many of the affected users would have been from Europe.