50m Facebook accounts exposed in security breach


By Dylan Bushell-Embling
Tuesday, 02 October, 2018

50m Facebook accounts exposed in security breach

Facebook has disclosed it has suffered a security breach that impacted nearly 50 million accounts and involved the compromise of a previously undiscovered vulnerability in its website code.

From preliminary investigation into the breach, Facebook said it found that attackers had exploited three bugs in the View As feature, which is designed to allow users to see how their Facebook profiles look to other specific users, to steal access tokens that could be used to take over victims' accounts.

Access tokens are used by Facebook to keep users logged into accounts so they don't have to re-enter their password every time.

The first vulnerability exploited in the attack incorrectly provided the ability to post a video in what should have been a view-only interface for the View As feature.

The second involved a bug in a new version of its video uplander that incorrectly generated an access token with the permissions of the Facebook mobile app, and the third involved generating this access token not for the user's own profile, but the user being looked up as part of the View As feature.

In a post disclosing the breach, Facebook VP of Product Management Guy Rosen said the company has yet to determine whether the impacted accounts were misused or any private information was accessed.

He added that Facebook has now fixed the vulnerability and notified law enforcement. The company has also filed the required disclosure with data protection authorities in Ireland, the base of its European operations, under the EU's General Data Protection Regulation (GDP).

Facebook has meanwhile temporarily removed the View As feature while it conducts a more thorough security review.

Access tokens for the 50 million accounts known to have been compromised in the attack, and for a further 40 million accounts that have been subject to a View As lookup during the past year, have also been reset.

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

How the explosion of non-human identities is changing cybersecurity

A surge in machine‍-‍to‍-‍machine communication and non‍-‍human...

Building stronger critical infrastructure with Zero Trust

Zero Trust provides a way to stay ahead of cyber attacks by assuming breaches will happen and...

Happy birthday, Active Directory!

Active Directory is a technology that has proved its staying power and has shaped enterprise IT...

Content from other channels on our network

ACMA releases views on future use of public airwaves

5G mmWave extended to 14 km in nbn field trials

Mavenir and Terrestar achieve NTN Voice over NB-IoT call

GNSS technique helps pedestrians navigate 'urban canyons'

S1 Pro: Redefining Conventional Radio Design for Enhanced Usability and Performance

ACSC issues alert about 'fast flux' threat

AI smart cameras to improve road safety in SA

Testing begins on Sydney’s Southwest Metro

Databricks to equip NSW public servants with AI skills

SA Government advances transport decarbonisation

Should businesses choose in-house or third-party manufacturing?

Legrand expands its Australian data centre portfolio

Aust solar farms to deploy Canadian anti-hail tech

Praise for Senate committee report into electrification

Endeavour Energy launches new community battery program

  • All content Copyright © 2025 Westwick-Farrow Pty Ltd