Finally, after reporting a recent hack where “up to 50 million accounts may have been exposed” more than two weeks ago, Facebook have spoken publicly confirming around 30 million accounts have been breached with unauthorised access.
The post on Facebook Newsroom not only outlines how many accounts have been affected, but the fact that further attacks may be potentially found and how the attacks occurred in some reasonably significant detail; Also confirming the timeline that the access token vulnerability was in place for.
Auth0 have compiled a fantastic explanation of the vulnerability, it’s exploitation and how it was used to gain access to users accounts, but the core of the issue is as follows:
Through this vulnerability, attackers were able to steal Facebook access tokens. An access token is a credential that can be used by an application to access an API. Its main purpose is to inform the API that the bearer of this token has been authorized to access the API and perform specific actions. In this case, an attacker could have used the Facebook access tokens to take over accounts.
The Simple Breakdown
- The vulnerability that led to the attack has been in place for around 14 months (Since July 2017)
- This was discovered on September 25th at which time steps were taken to secure Facebook and protect user data which included invalidating the compromised tokens
- Facebook have confirmed that attackers used access tokens to gain unauthorised access to account information from approximately 30 million Facebook accounts.
- On September 28th the users whose data was affected have been notified by the company
- The investigation is still ongoing, so if you’re a user of Facebook – stay tuned for more info
There’s a lot of information here to digest and unfortunately, as users (if you are going to continue using the service) we just have to trust that Facebook are doing all the right things to prevent future occurrence of such attacks. In the meantime, you should be conscious of any unsolicited emails or calls (if you have your mobile listed against your Facebook account) and keep your internet safety software updated.
If you’re concerned that you may be one of those affected, you can visit the news room post, which (provided you are logged into Facebook) will also tell you at the bottom of the post if your account has been compromised through this attack.
How do you feel about the latest in a long line of data breaches? Par for the Internet, or should companies be doing more than they already are to protect your private data?