Facebook Access Tokens Stolen
Guy Rosen (Hacker News, MacRumors):
On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Facebook’s Guy Rosen just confirmed that the breach would have allowed hackers to access not only your Facebook account, but your accounts on other sites where you used Facebook as your login.
Also—separate from the question of third-party apps—Facebook says users affected by the breach who have Instagram or Oculus accounts linked to their Facebook account will have to un-link and re-link them.
See also: Mike Isaac and Sheera Frenkel, Nick Heer.
Update (2018-10-16): Glenn Chapman:
Facebook said Friday that hackers accessed personal data of 29 million users in a breach at the world’s leading social network disclosed late last month.
The company had originally said up to 50 million accounts were affected in a cyberattack that exploited a trio of software flaws to steal “access tokens” that enable people to automatically log back onto the platform.
“We now know that fewer people were impacted than we originally thought,” Facebook vice president of product management Guy Rosen said in an online post.
See also: Facebook, Ryan Mac (tweet).
