A security fault in Facebook’s code allowed hackers to gain access to the Facebook profiles and linked accounts of at least 50 million people, the social network announced last week.
Scammers exploited a vulnerability in Facebook’s ‘view as’ feature, which allows users to see how their profiles appear to others, to siphon off ‘access tokens.’ Access tokens are unique strings of numbers created when you log into an account, containing the security credentials for the login and used to identify you to your device.
With security tokens, hackers were able to take over at least 50 million Facebook accounts, including those of Facebook CEO Mark Zuckerberg and Chief Operating Officer and Lean In author Sheryl Sandberg. Access to Facebook profiles potentially allowed them to access profiles that use Facebook logins, including Facebook-owned Instagram and WhatsApp and also third-party platforms such as Spotify and Tinder.
When it discovered the breach, Facebook reset the access tokens for those 50 million accounts and, as a precaution, for an additional 40 million accounts. That means if you were asked to log back into Facebook when you loaded the website or app last week, yours was one of the accounts affected. You may also have been logged out of websites or apps that use Facebook login credentials.
Facebook has also announced plans to alert users who had their access tokens compromised with a post on the top of their news feeds.
The Data Protection Commission in Ireland, where Facebook Europe is registered, said less 10% of the compromised accounts were thought to be of Europeans.
Facebook is now working with law enforcement to investigate the hack but is still uncertain who stole the access tokens, how long they may have had access to the accounts, and if they viewed users’ personal information. Facebook has said that no credit card information or passwords were stolen.
However, users may still want to reset their Facebook passwords, especially if they use them across multiple sites, and check activity on bank accounts and other websites. Users may want to take advantage of the security scare to set up two-factor authentication on their Facebook and other online accounts.
The hack is the first data protection breach from a major tech company since the EU’s General Data Protection Regulation (GDPR) came into force in May. Under the terms of GDPR, Facebook could face hefty fines for the security lapse, including up to 4% of its annual turnover, or £1.25bn. While Facebook followed all regulations for disclosing the breach, reporting it to the Irish Data Protection Commission within the required 72 hours, it may still be in infringement of GDPR for not having sufficient security measures to thwart the attack.
Guy Rosen, VP of product management at Facebook, said: “People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. If we find more affected accounts, we will immediately reset their access tokens.”