50m Facebook accounts exposed in security breach


By Dylan Bushell-Embling
Tuesday, 02 October, 2018

50m Facebook accounts exposed in security breach

Facebook has disclosed it has suffered a security breach that impacted nearly 50 million accounts and involved the compromise of a previously undiscovered vulnerability in its website code.

From preliminary investigation into the breach, Facebook said it found that attackers had exploited three bugs in the View As feature, which is designed to allow users to see how their Facebook profiles look to other specific users, to steal access tokens that could be used to take over victims' accounts.

Access tokens are used by Facebook to keep users logged into accounts so they don't have to re-enter their password every time.

The first vulnerability exploited in the attack incorrectly provided the ability to post a video in what should have been a view-only interface for the View As feature.

The second involved a bug in a new version of its video uplander that incorrectly generated an access token with the permissions of the Facebook mobile app, and the third involved generating this access token not for the user's own profile, but the user being looked up as part of the View As feature.

In a post disclosing the breach, Facebook VP of Product Management Guy Rosen said the company has yet to determine whether the impacted accounts were misused or any private information was accessed.

He added that Facebook has now fixed the vulnerability and notified law enforcement. The company has also filed the required disclosure with data protection authorities in Ireland, the base of its European operations, under the EU's General Data Protection Regulation (GDP).

Facebook has meanwhile temporarily removed the View As feature while it conducts a more thorough security review.

Access tokens for the 50 million accounts known to have been compromised in the attack, and for a further 40 million accounts that have been subject to a View As lookup during the past year, have also been reset.

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

Emergency onboarding: what to do before and after a data breach

Organisations that have an emergency onboarding plan are better positioned to have their business...

Savvy directors are demanding more points of proof when cyber incidents occur

Pre-agreement on what a post-incident forensics effort should produce — and testing it out...

Cyber-attack prevention is better than a cure

Corporate and political decision-makers need to invest in areas that do a better job of...

Content from other channels on our network

$3.6 million in shared solar for ACT apartments

Low-orbit satellites help out electrical crews

Budget 2024: energy experts respond

How MTDCs can help address today's data centre power challenges

Wall of solar for German factory

Why SEHO Selective Systems are changing the way manufacturers solder boards using through hole designs

Eco-friendly battery for low-income countries

Unravelling the mystery of slow electrons

Laser tech used to develop deformable energy storage device

Laser printing on fallen tree leaves produces sensors for medical and laboratory use

GovTEAMS: boosting the efficiency of government and its suppliers

Report exposes unique cybersecurity threats in the public sector

Optimising the value of AI in the public sector

Why SBOMs are critical in the fight against software supply chain attacks

Elastic announces AI-driven attack discovery feature

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd