Facebook previously said that, on 25th September, its engineering team discovered hackers had exploited a vulnerability in its code. The perpetrators took advantage of security flaws in Facebook's "View As" code, a feature that lets you see what your profile looks like to another user or the public. Facebook said the stolen access tokens were digital keys that allowed people to stay logged in to Facebook.
How and when did this happen?
- Hackers exploited a vulnerability in code for the "View As" feature
- The vulnerability (the result of three bugs) first appeared in 2017
- Hackers stole access tokens used to take over people's accounts
The investigation is still underway. It looks like hackers exploited a vulnerability -- the result of three bugs -- in Facebook’s code for the "View As" feature. They stole Facebook access tokens, which they could then use to take over people’s accounts. (These access tokens are described as "digital keys" that keep people logged in to Facebook so they don’t need to re-enter their password every time.)
The vulnerability in Facebook's code first appeared in July 2017, when Facebook made a change to a video uploading feature. It didn't notice any unusual activity until 14 September 2018, when it saw a jump in user access to the site. It launched an investigation and discovered this attack. So, the hackers had a chance to exploit the vulnerability in Facebook's code from July 2017 to late September 2018.
Who was affected and what was stolen?
Facebook originally said it reset access tokens for nearly 50 million accounts that were supposedly affected and another 40 million accounts that were "subject to a 'View As' lookup in the last year". In its most recent statement, Facebook revealed the hackers actually stole access tokens for 30 million accounts (revised from 50 million), and that they gained complete access to users' profiles.
Here's what the hackers accessed:
- For 15 million users, the attackers accessed two sets of information: name and contact details (phone number, email, or both, depending on what people had on their profiles).
- For 14 million users, the attackers accessed the same two sets of information, as well as other details on profiles (username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches).
- For one million users, the attackers did not access any information.
How to check if your Facebook account was hacked
You can check whether you were affected by visiting the Help Center.
Follow these steps:
- Go to this page.
- Scroll down to: Is my Facebook account impacted by this security issue?
From there, you’ll either see: you were not impacted; you were part of the 15 million who had their name and contact information accessed; or you're one of the 14 million who had a tonne more profile information accessed. Facebook also plans to send "customised messages" to all 30 million users affected. These messages will explain the extent of the damage and what you had stolen.
Who are the hackers?
Facebook doesn't know who executed the attacks or where they’re based.
Do you need to change your password?
Facebook said there is no need for anyone to change their passwords.
If you're still concerned, you can visit the "Security and Login" section in Settings to log out of all devices at once.
What's the plan of action?
- The vulnerability in Facebook's code has been fixed
- Facebook informed the authorities in September 2018
- Facebook began alerting users of the breach in September 2018
The vulnerability has been patched, and Facebook has informed the authorities and launched an investigation itself.
In September, when Facebook disclosed the security breach, it reset accounts for over 90 million people. Those users had to log back in to Facebook, including any of their apps that use Facebook Login. After they logged back in, they got a notification at the top of their News Feed explaining what happened. Lastly, Facebook has temporarily turned off the "View As" feature.
Has Facebook apologised?
Yes. Facebook said it is "sorry this happened". You can read the full apology here, or read an excerpt below:
"People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened."