50m Facebook accounts exposed in security breach


By Dylan Bushell-Embling
Tuesday, 02 October, 2018

50m Facebook accounts exposed in security breach

Facebook has disclosed it has suffered a security breach that impacted nearly 50 million accounts and involved the compromise of a previously undiscovered vulnerability in its website code.

From preliminary investigation into the breach, Facebook said it found that attackers had exploited three bugs in the View As feature, which is designed to allow users to see how their Facebook profiles look to other specific users, to steal access tokens that could be used to take over victims' accounts.

Access tokens are used by Facebook to keep users logged into accounts so they don't have to re-enter their password every time.

The first vulnerability exploited in the attack incorrectly provided the ability to post a video in what should have been a view-only interface for the View As feature.

The second involved a bug in a new version of its video uplander that incorrectly generated an access token with the permissions of the Facebook mobile app, and the third involved generating this access token not for the user's own profile, but the user being looked up as part of the View As feature.

In a post disclosing the breach, Facebook VP of Product Management Guy Rosen said the company has yet to determine whether the impacted accounts were misused or any private information was accessed.

He added that Facebook has now fixed the vulnerability and notified law enforcement. The company has also filed the required disclosure with data protection authorities in Ireland, the base of its European operations, under the EU's General Data Protection Regulation (GDP).

Facebook has meanwhile temporarily removed the View As feature while it conducts a more thorough security review.

Access tokens for the 50 million accounts known to have been compromised in the attack, and for a further 40 million accounts that have been subject to a View As lookup during the past year, have also been reset.

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

Secure-by-design software development for digital innovation

The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...

Bolstering AI-powered cybersecurity in the face of increasing threats

The escalation of complex cyber risks is becoming a pressing issue for those in business...

How attackers are weaponising GenAI through data poisoning and manipulation

The possibility for shared large language models to be manipulated through data poisoning...

Content from other channels on our network

'Curving' light beams could enable terahertz comms

Panasonic offers private 5G network testing in Munich

Antenna upgrade enables better sewer management

60 million Aust drone flights predicted for 2043

The fire on Marley's Hill

EV future for Monash Uni

Shell Cove battery launched on NSW South Coast

Million-dollar rooftop solar for Kimberley hospital

Protecting wildlife from electrical assets — and vice versa

Immersive VR training for electricians

Machine learning used to create fabric-based touch sensor

Hybrid sodium-ion battery can be charged in a few minutes

Researchers develop energy-efficient probabilistic computer

Wearable sensor measures real skin feel

Monash University home to three electron microscopes

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd