If you found yourself needing to login to Facebook this morning, there is a good chance you’re affected by the latest Facebook “security issue.”
Facebook announced on Friday that hackers had taken advantage of security flaws in the code of the social network’s “View As” feature, which allows users to see what their profile looks like to other users. Hackers used the flaw to steal access tokens, which are digital “keys” that allow users to stay logged in to the social network.
Affected users have been automatically logged out, and will be required to log back in the next time they access the service. Affected users will see a notification explaining what happened.
Facebook says they’ve taken the following steps in the wake of the hack.
Here is the action we have already taken. First, we’ve fixed the vulnerability and informed law enforcement.
Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.
It has not been determined if the compromised accounts were misused in any way or if the users’ information had been accessed. The service does not know who executed the attacks.
Facebook says it is “sorry this happened,” along with the usual boilerplate about how their users’ privacy and security “is incredibly important.” Blah, blah, blah.
The announcement comes just one day after the social network admitted that it uses phone numbers provided by users for 2-factor authentication for ad targeting purposes.
