50m Facebook accounts exposed in security breach


By Dylan Bushell-Embling
Tuesday, 02 October, 2018

50m Facebook accounts exposed in security breach

Facebook has disclosed it has suffered a security breach that impacted nearly 50 million accounts and involved the compromise of a previously undiscovered vulnerability in its website code.

From preliminary investigation into the breach, Facebook said it found that attackers had exploited three bugs in the View As feature, which is designed to allow users to see how their Facebook profiles look to other specific users, to steal access tokens that could be used to take over victims' accounts.

Access tokens are used by Facebook to keep users logged into accounts so they don't have to re-enter their password every time.

The first vulnerability exploited in the attack incorrectly provided the ability to post a video in what should have been a view-only interface for the View As feature.

The second involved a bug in a new version of its video uplander that incorrectly generated an access token with the permissions of the Facebook mobile app, and the third involved generating this access token not for the user's own profile, but the user being looked up as part of the View As feature.

In a post disclosing the breach, Facebook VP of Product Management Guy Rosen said the company has yet to determine whether the impacted accounts were misused or any private information was accessed.

He added that Facebook has now fixed the vulnerability and notified law enforcement. The company has also filed the required disclosure with data protection authorities in Ireland, the base of its European operations, under the EU's General Data Protection Regulation (GDP).

Facebook has meanwhile temporarily removed the View As feature while it conducts a more thorough security review.

Access tokens for the 50 million accounts known to have been compromised in the attack, and for a further 40 million accounts that have been subject to a View As lookup during the past year, have also been reset.

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

Too much of a good thing: Australia's cyber overlap issue

Recent research indicates many organisations may have too many security systems with overlapping...

The true cost of cyber attacks

The average annual expense of recovering and dealing with cyber attacks has surpassed AU$4.1...

Tackling the human element in modern authentication: the phishing-resistant user

Integrating human-centric cybersecurity strategies is not merely an option but a necessity in...

Content from other channels on our network

'Service mesh' technology to solve 6G communication issues

Field trials demonstrate the benefits of Wi-Fi HaLow

Milestone as UWA's TeraNet captures laser signals from satellite

SoftBank achieves THz outdoor coverage for connected cars

Govt invests over $100m to deliver next-gen drones to ADF

Supporting sustainable employment for neurodivergent individuals

Indonesian hackers apologise, ask for donations

Armis completes IRAP assessment

myGov gets 20,000 passkey signups in a week

Government taking steps towards public safety mobile broadband

Silicon photonics for large-scale quantum information applications

Researchers advance recycling for solid-state lithium batteries

Creating artificial 'muscles' for safer, softer robots

Single-crystal cathodes make lithium batteries more durable

Innovative battery design: more energy and less environmental impact

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd