- Baltimore still refuses to pay hackers who hit city with ransomware 8 Months Ago
- Net neutrality advocates slam ‘extremely troubling’ letter circulating among some House Dems Today 4:52 PM
- Moms and grandmas are infiltrating TikTok Today 4:35 PM
- Did Britain’s head Brexiter hide in a bus to avoid getting hit by a milkshake? Today 4:26 PM
- This woman who thought she saw a handmaid about to jump from a building is very relieved Today 4:18 PM
- Michael Avenatti allegedly defrauded Stormy Daniels to pay for a Ferrari Today 3:53 PM
- HBO has no plans for an Arya Stark spinoff series Today 3:28 PM
- Republicans and Democrats agree on dangers of facial recognition tech Today 3:18 PM
- Amazon is using video games and ‘swag bucks’ to incentivize workers Today 3:04 PM
- Here’s what’s coming and going on Netflix in June Today 2:46 PM
- This Michael Jackson makeup meme is sweeping TikTok Today 2:45 PM
- Homophobic preacher wants Pete Buttigieg to renounce fisting and rimming Today 2:33 PM
- ‘The Liar, the Snitch, and the War Crimes’: Twitter roasts news of Trump Jr. book deal Today 12:36 PM
- Polar Peak in Fortnite is cracking, and players think a dragon may be beneath the ice Today 12:07 PM
- ‘Rise of Skywalker’ first look reveals mysterious new characters Today 12:00 PM
TY Lim/Shutterstock (Licensed)
If you got logged out of your account this morning, you were affected.
Facebook announced Friday that it discovered a data breach affecting at least 50 million users. While the company has figured out how the attackers exploited the site, the identity and location of this Facebook data breach, which happened on Tuesday, Sept. 25, are still under investigation.
The hackers were able to penetrate Facebook thanks to a bug in its “view as” tool. This feature lets users view their Facebook profile as if they were a stranger or a particular friend—a security measure for checking profile privacy settings.
According to the New York Times, that bug was paired with another in the app’s video-uploading system (a happy birthday video uploading tool, to be specific). This let attackers steal access tokens to user accounts. (Facebook explains that access tokens “are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”) Once the hackers obtained these keys, they gained the ability to take over other user accounts.
Since discovering this Facebook data breach, the company has fixed the vulnerability. As a precautionary measure, the company also logged out and reset the access tokens of 90 million users Friday morning, requiring them to log back in and reconnect Facebook-connected apps. Once affected users log back in, a notice at the top of their feed will explain the situation. Users don’t need to reset their passwords—at this point, there’s no evidence that passwords were compromised, only user access tokens.
Facebook has reported the data breach to authorities as it continues to investigate its origins and extent. In the meantime, it’s switched off the “view as” feature while it undergoes a security review.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Facebook VP of Product Management Guy Rosen wrote in a blog post. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details.”
Since the Cambridge Analytica scandal surfaced earlier this year, Facebook has been scrambling to polish its image and regain user trust. It’s run a series of ads apologizing for its past behavior, and made efforts to make its privacy controls more simple and clear to understand.
H/T the New York Times
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.