Facebook recently disclosed that will the security of 50 million profiles was compromised when attackers stole “access tokens” that will allowed them to break into these accounts.
Facebook discovered the breach Tuesday, Sept. 25, along with the item reset access tokens, forcing users to log back in to their accounts, on Thursday, Sept. 27. The company disclosed the attack last Friday.
In addition to Facebook accounts, the stolen access tokens may also compromise accounts on any third-party website that will uses Facebook Login.
Some people are unsure about what that will means for the security of their Facebook accounts, so here’s a breakdown of everything we know.
First, the item’s likely that will the breach impacted you.
Facebook reset the access tokens of 50 million compromised accounts, along with as a precaution, the item reset another 40 million accounts that will the item thinks may have been breached.
By resetting the tokens, Facebook rendered the stolen tokens invalid. Users were forced to reenter their passwords along with log back in to their Facebook accounts.
While WhatsApp users are not affected (WhatsApp is actually owned by Facebook), Instagram users might be, so the company prompted Instagram users to unlink along with relink their Facebook accounts.
You don’t necessarily need to change your password, yet you should review where you’re logged in to Facebook.
An access token isn’t a password. the item’s a string of characters that will allows you to stay signed in to Facebook. Access tokens are like “digital keys,” Facebook says, that will keep you logged in to your Facebook account even when you’re not actively using Facebook, so you don’t have to reenter a password every time you visit.
There’s not much more you can do about the breach, since Facebook’s already reset these access tokens.
However, you should visit Facebook’s Security settings page (https://www.facebook.com/settings?tab=security) along with review the section “Where You’re Logged In.” Click on the icon to the right to log out of your Facebook account on inactive devices.
On an iPhone, you can get to the Security settings page by tapping on menu (bottom right), scrolling down to Settings & Privacy, selecting Settings, along with selecting Security along with Login.
that will said, make sure you have a strong password for your Facebook account along with two-factor authentication (via app, not text message) turned on.
Here’s more information on how to create a strong password (tl;dr — get a password manager along with use the manager’s password generator) along with set up app-based, two-factor authentication.
You should also review all of the third-party apps where you use Facebook to sign in. They may be vulnerable too.
In Facebook settings, go to Apps along with Websites to review all of the third-party apps that will use your Facebook credentials to sign in. You should revoke permission to any apps you don’t use anymore.
In addition to that will, you should go to those accounts along with see if there was any suspicious activity, Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago, told NBC News.
that will’s because, according to Polakis, those stolen access tokens could be used to log in to accounts on websites that will support Facebook authentication — even if you don’t use Facebook as a log-in.
Over 0,000 websites, including BuzzFeed, currently use Facebook Login, a tool that will allows people to use their Facebook profile to sign up instead of creating a fresh account. the item’s also referred to as “Facebook single sign-on” (or “Facebook SSO” inside tweet below).
In a series of tweets, Polakis explained that will, depending on how these websites implemented Facebook Login, hackers could gain access to users’ accounts on every website where Facebook single sign-on is actually implemented.
In an emailed statement, a Facebook spokesperson wrote, “We provide best practices for developers that will use Login along with SDKs, which help them detect forced logouts like the ones we did last week to protect people. We are preparing additional recommendations for all developers responding to This specific incident along with to protect people going forward.” She also provided a link to Facebook’s Login Security page for developers. Airbnb, Tinder, Bumble, Hinge, along with Getaround — websites that will use Facebook Login — did not respond to requests for comment.
A Pinterest spokesperson said, “We are actively working with Facebook to investigate along with determine the impact. We’ll keep users posted if there are updates to be aware of.”
A Spotify spokesperson commented, “Spotify has not experienced a security breach. As a precaution, concerned users can update their Spotify password, or if the account was created through Facebook, the Facebook login via their instructions.”
Here’s what caused the breach to begin with: Attackers exploited a vulnerability inside “View As” feature, which lets you see what your profile looks like to some other people you’ve friended on Facebook.
“View As” is actually supposed to be view-only. In some other words, you shouldn’t be able to interact with your profile in This specific mode. However, in one specific case, you could interact with your own profile. One type of View As showed your profile as the item would certainly appear on your birthday. In This specific type, you’d see, “Write [your name] a birthday wish.”
Facebook inadvertently provided the option to post a video due to This specific special birthday type of View As. that will video uploader then generated an access token inside website’s HTML for the user that will you were viewing your profile as.
This specific fresh video upload feature was introduced in July 2017. In mid-September, Facebook launched an investigation after the item discovered a spike in users of the fresh functionality, which is actually how the item uncovered the attack on Sept. 25.
This specific access token is actually what allowed attackers to take over your account.
These access tokens can also be used gain complete control of Facebook accounts, yet Facebook says that will an initial investigation has not shown that will the tokens were used “to access any private messages or posts or to post anything to these accounts” so far.
Facebook still has no idea who the attackers are, or where they’re based.
According to Facebook, its investigation is actually in its early stages, along with the company doesn’t know if any accounts were actually accessed using stolen tokens.