50m Facebook accounts exposed in security breach


By Dylan Bushell-Embling
Tuesday, 02 October, 2018

50m Facebook accounts exposed in security breach

Facebook has disclosed it has suffered a security breach that impacted nearly 50 million accounts and involved the compromise of a previously undiscovered vulnerability in its website code.

From preliminary investigation into the breach, Facebook said it found that attackers had exploited three bugs in the View As feature, which is designed to allow users to see how their Facebook profiles look to other specific users, to steal access tokens that could be used to take over victims' accounts.

Access tokens are used by Facebook to keep users logged into accounts so they don't have to re-enter their password every time.

The first vulnerability exploited in the attack incorrectly provided the ability to post a video in what should have been a view-only interface for the View As feature.

The second involved a bug in a new version of its video uplander that incorrectly generated an access token with the permissions of the Facebook mobile app, and the third involved generating this access token not for the user's own profile, but the user being looked up as part of the View As feature.

In a post disclosing the breach, Facebook VP of Product Management Guy Rosen said the company has yet to determine whether the impacted accounts were misused or any private information was accessed.

He added that Facebook has now fixed the vulnerability and notified law enforcement. The company has also filed the required disclosure with data protection authorities in Ireland, the base of its European operations, under the EU's General Data Protection Regulation (GDP).

Facebook has meanwhile temporarily removed the View As feature while it conducts a more thorough security review.

Access tokens for the 50 million accounts known to have been compromised in the attack, and for a further 40 million accounts that have been subject to a View As lookup during the past year, have also been reset.

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

The AI regulation debate in Australia: navigating risks and rewards

To remain competitive in the world economy, Australia needs to find a way to safely use AI systems.

Strategies for navigating Java vulnerabilities

Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...

Not all cyber risk is created equal

The key to mitigating cyber exposure lies in preventing breaches before they happen.

Content from other channels on our network

Enhancing broadcast reliability with remote telemetry systems

Brilliant made simple — fibre and network solutions

Keller pressure sensors from Bestech Australia

Powertec's next-gen comms trailer walkaround

Have your say: proposed reforms to improve infrastructure rollout

Government funds mobile coverage boost for regional Vic, NSW

Local governments need to improve digital services: report

Pegasystems completes IRAP assessment

SA school staff to receive cybersecurity awareness training

Building secure AI: a critical guardrail for Australian policymakers

Researchers unveil fast-charging lithium-sulfur battery

Electron microscopy reveals colours of outermost electron layer

Theory reveals the shape of a single photon

Wearable generator powers electronics by body movements

Ion speed record holds potential for faster battery charging

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd