Facebook suffered their biggest security breach ever and confirmed that the accounts of at least 50 million active users were hacked, including the company’s CEO Mark Zuckerberg and COO Sheryl Sandberg. But it isn’t only Facebook accounts that were compromised; third-party apps such as Tinder, Spotify, Instagram, and Airbnb were also vulnerable to the hack.
On Friday, Facebook informed the world that the social network had been severely hacked in a “Security Update.” Facebook said engineers first discovered the intrusion on Tuesday, September 25th. The hackers would have full access to your profile and your private information on the social media platform.
Facebook acknowledged that they are still in the early stages of their investigation, but are certain that “attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’ a feature that lets people see what their own profile looks like to someone else.” The massive tech company also said, “This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The scary part is that this vulnerability has been exposed since the summer of 2017. “This attack exploited the complex interaction of multiple issues in our code,” the statement said. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’ The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
The “View As” feature enabled users to see how their profile looked on other people’s screens. If you used this feature, your account was susceptible to being hacked. Facebook says they are “taking this incredibly seriously.”
You will know if your account was affected if you had to login manually to your Facebook account since Friday. Facebook reset the access tokens of the almost 50 million as well as another 40 million accounts that used the “View As” feature in the last year. Facebook has temporarily disabled the “View As” feature.
Now would be a fantastic time to change your password on Facebook, as well as on potentially affected third-party apps. You may want to also unlink third party apps that use Facebook to register.
You might also want to enable two-factor authentication, which again can be found in Facebook settings. That uses a phone to authenticate the account by sending a code to your phone. However, we also learned this week that Facebook not only uses two-factor authentication for security, but also for targeted ads.
Facebook admitted that they use your phone number for advertisements. “We use the information people provide to offer a better, more personalized experience on Facebook, including ads,” a Facebook spokesperson said in a statement to TechCrunch. “We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”
Facebook claims that the vulnerability has been corrected, but the social network doesn’t know exactly what kind of information has been compromised.
On Friday, Facebook was sued for the latest hack of 50 million accounts. A class-action lawsuit against the social media company was filed in federal court in Northern California within hours of Facebook announcing the breach. The lawsuit claims Facebook negligently allowed hackers to breach at least 50 million accounts.