Posted by cageymaru 1:28 PM (CDT)
Friday September 28, 2018
Facebook has acknowledged being hacked on Tuesday, September 25th and the security issue directly affected almost 50 million accounts and another 40 million indirectly. The "View As" feature that Facebook implemented in July 2017 is the source of the security issue. The "View As" feature allows users to see what their own profile looks like to someone else. Hackers used this to steal Facebook access tokens which they used to take over accounts belonging to other members of the service. Think of "access tokens" as "digital keys" that allow a person to remain logged into the service without having to re-enter their password when they use the app.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted "View As." The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens. There's no need for anyone to change their passwords. But people who are having trouble logging back into Facebook -- for example because they’ve forgotten their password --should visit our Help Center.