Facebook recently announced that a security breach affecting nearly 50 million users and their accounts took place last week. According to a company representative, those responsible for the breach were able to exploit a vulnerability found within the “View As” feature, which enables users to see how their profiles appear to others. As of the initial report, it is unknown if those responsible either accessed confidential information or misused the accounts in any way.
However, Facebook representatives do know that the hackers were able to steal Facebook access tokens which allow users to keep themselves logged in without having to enter their password every time their account is accessed from the “View As” feature code. This also allowed them to leverage these tokens to help take over additional accounts.
According to Facebook, it is unknown exactly how much damage has been done as a result of this situation, citing the fact that they have only recently started their investigation into the issue. Furthermore, they are unsure of exactly who is responsible or where they are located.
It has also been stated by company representatives that the issue has been fixed and that the “View As” feature is being temporarily deactivated while a security review is conducted. Facebook also says that law enforcement has been made aware of the issue as well, and that the stolen access tokens have all been reset, with the users affected by this having been automatically logged out of their Facebook accounts as a result. Facebook also states that those who have been logged out will receive a notification at the top of their News Feed explaining what has happened when they log back in.