Facebook has discovered that hackers stole Facebook access tokens for almost 50 million accounts.

The social network announced that, on 25 September, its engineering team noticed hackers had exploited a vulnerability in its code. The perpetrators took advantage of security flaws in Facebook’s “View As” code, a feature that lets users see what their profile looks like to another user or the public. Facebook said the stolen access tokens were digital keys that allowed people to stay logged in to Facebook.

Here’s what you need to know and do now.

• Don’t want to unfollow a friend? Facebook now lets you ‘snooze’ them
• 17 Facebook tips and tricks you probably never heard about
• 17 Facebook Messenger tips and tricks you likely didn’t know
• How to permanently delete Facebook but keep your photos and more

How and when did this happen?

• Hackers exploited a vulnerability in code for the “View As” feature
• The vulnerability (the result of three bugs) first appeared in 2017
• Hackers stole access tokens used to take over people’s accounts

The investigation is in its early stages now. It looks like hackers exploited a vulnerability — the result of three bugs — in Facebook’s code for the “View As” feature. They stole Facebook access tokens, which they could then use to take over people’s accounts. (These access tokens are described as “digital keys” that keep people logged in to Facebook so they don’t need to re-enter their password every time.)

The vulnerability in Facebook’s code first appeared in July 2017, when Facebook made a change to a video uploading feature. It didn’t notice any unusual activity until 16 September 2018, when it saw a jump in user access to the site. It then launched an investigation and discovered this attack. So, the hackers had a chance to exploit the vulnerability in Facebook’s code from July 2017 to late September 2018.

Who are the hackers?

Facebook doesn’t know who executed the attacks or where they’re based.

Who is affected?

Facebook has reset the access tokens of the nearly 50 million accounts that were affected and another 40 million accounts that were “subject to a ‘View As’ lookup in the last year.” It is not clear whether the affected accounts were misused or had information accessed.

Do you need to change your password?

Facebook said there is no need for anyone to change their passwords.

If you’re still concerned, you can visit the “Security and Login” section in Settings to log out of all devices at once.

What’s the plan of action now?

• The vulnerability in Facebook’s code has been fixed
• Facebook informed the authorities in September 2018
• Facebook began alerting users of the breach in September 2018

The vulnerability has been patched, and Facebook has informed the authorities. While an investigation into the security breach continues, Facebook has reset accounts for 90 million people. Those users now have to log back in to Facebook, including any of their apps that use Facebook Login. After they have logged back in, they will get a notification at the top of their News Feed explaining what happened.

Lastly, Facebook is temporarily turning off the “View As” feature.

Has Facebook apologised?

Yes. Facebook said it is “sorry this happened”. You can read the full apology here, or read an excerpt below:

“People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”

What about Mark Zuckerberg?

Here is what the Facebook CEO had to say:

Source : Click Here