You may not have noticed, but it turns out that there was a massive massive data breach at Facebook last week. Over 90 million users on the site were forced to log out and then log back into their accounts, and it is suspected that these people may have been the hardest hit by the hack. For these people, Facebook initiated a forced password change to secure their accounts right away.
The security breach occurred on Friday afternoon when a group of unidentified hackers managed to exploit three previously unknown vulnerabilities on the social media website and mobile application. The hackers reportedly stole data from 50 million users, but the website ended up resetting the tokens of 90 million Facebook users out of an abundance of caution. So just because you were locked out, doesn’t necessarily mean that your data was stolen, but you should still take all of the necessary precautions.
In a conference call with reporters, Facebook vice president of product Guy Rosen gave some important updates on the situation. Rosen explained that the company managed to detect the breach after the security team noticed an unusual spike in traffic on its servers which revealed a massive cyberattack that had been going on since September 16th. Rosen also said that the discovery revealed three bugs that Facebook was able to fix.
The first bug incorrectly offered users a video uploading option within certain posts that enables people to wish their friends ‘Happy Birthday,’ when accessed on the “View As” page. Another bug was in the video uploader which incorrectly generated an access token that had permission to log into the Facebook mobile app. The third bug somehow targeted friends of the affected user. The company says that your password was not compromised, but the hackers were able to gain access to your account anyway. It is still best practice to change your password anyway just in case, especially if you are one of the many users who were logged out last week.
Facebook is now facing a class-action lawsuit after the data breach. Just after news of the hack went public two Facebook users, Carla Echavarria from California and another anonymous user from Virginia, filed a class-action complaint against the company in the US District Court for the Northern District of California.
As we explained in an article earlier this week, you can check your active sessions on Facebook to find out if someone has been inside of your account, which applies to this hack as well. The instructions can be found below:
To get started, just select Security and login.
From there you’ll be able to see where you’re logged in, and provides information like the type device of device that logged in and its location, as well as showing which devices are ‘active now,’ along with a history of all logins.
If you see a device you don’t recognize or trust, you will have the option to log that device out of your account. You also have the option to log out of all the devices that are currently logged in.
Facebook Hack: 10 Important Updates You Need To Know About – by thehackernews.com
1.) Facebook Detected Breach After Noticing Unusual Traffic Spike — Earlier this week, Facebook security team noticed an unusual traffic spike on its servers, which when investigated revealed a massive cyber attack, that had been ongoing since 16 September, aimed at stealing data of millions of Facebook users.
2.) Hackers Exploited Total 3 Facebook Vulnerabilities — The hack was accomplished using three distinct bugs of Facebook in combination.
The first bug incorrectly offered users a video uploading option within certain posts that enables people to wish their friends ‘Happy Birthday,’ when accessed on “View As” page.
The second bug was in the video uploader that incorrectly generated an access token that had permission to log into the Facebook mobile app, which is otherwise not allowed.
The third bug was that the generated access token was not for you as the viewer, but for the user that you were looking up, giving attackers an opportunity to steal the keys to access an account of the person they were simulating.
3.) Hackers Stole Secret Access Tokens for 50 Million Accounts — The attackers walked away with secret access tokens for as many as 50 million Facebook users, which could then be used to take over accounts.
Access Tokens “are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.”
4.) Your Facebook Account Password Has Not Been Compromised, But, Wait! — The good news is that the attack did not reveal your Facebook account passwords, but here’s the bad news — it’s not even required.
An application or an attacker can use millions of secret access tokens to programmatically fetch information from each account using an API, without actually having your password or two-factor authentication code.
5.) Hackers Downloaded Users’ Private Information Using Facebook API — Although it is not clear how many accounts and what personal information was accessed by hackers before Facebook detected the incident, the year-old vulnerabilities had left all your personal information, private messages, photos and videos wide open for hackers.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” the company said.
6.) Your “Logged in as Facebook” Accounts at 3rd-Party Apps/Websites Are At Risk — Since secret tokens enabled attackers to access accounts as the account holder themselves, it could have allowed them to access other third-party apps that were using Facebook login — a feature that lets you sign up for, and log in to, other online services using your Facebook credentials.
7.) Facebook Reset Access Tokens for 90 Million Accounts — In response to the massive breach, Facebook reset access tokens for nearly 50 million affected Facebook accounts and an additional 40 million accounts, as a precaution. This means that nearly 90 Million Facebook users were logged out of their accounts on Friday.
8.) Check Active Sessions on Facebook to Find If Your Account Have Been Hacked — Many Facebook users have noticed unknown IP addresses from foreign locations that apparently had accessed their account unauthorizedly.
You can head on to “Account Settings → Security and Login → Where You’re Logged In” to review the list of devices and their location that have accessed your Facebook account.
If you found any suspicious session that you never logged in, you can revoke back the access in just one click.
9.) Breach Isn’t Connected to the Hacker Who Pledged to Delete Zuckerberg’s Personal Page — Earlier this week, a Taiwanese hacker, Chang Chi-Yuang, claimed that he would demonstrate a critical zero-day vulnerability in Facebook by broadcasting himself hacking Mark Zuckerberg’s Facebook page on Sunday.
However, it is not clear whether the latest Facebook breach has anything to do with Chang’s hack, at least Facebook does not believe so.
Besides this, Chang Chi-Yuang Today says he canceled the stream and reported the bug to Facebook.
10.) Facebook Faces Class-Action Lawsuit Over The Massive Hack — Just after the news of the breach went public, two residents, Carla Echavarria from California and another from Virginia, filed a class-action complaint against the social media giant in US District Court for the Northern District of California.
Both allege that Facebook failed to protect their and additional potential class members data from going into wrong hands due to its lack of proper security practices.
The social media giant has already been facing criticism on handling of user data and its privacy policies in the wake of the Cambridge Analytica scandal, in which personal data of 87 million Facebook users was sold to and misused by a data-mining firm without their consent.
Facebook has already reset account logins for tens of millions of users and is also advising affected users who had Instagram or Oculus accounts linked to their Facebook account to de-link and than link those accounts again so that the access tokens can be changed.
The vulnerabilities exploited by the hackers are fixed, and Facebook is working with the FBI to investigate the security incident, which has impacted approximately 2.5% of Facebook users of its over 2 billion user base.
Since the investigation is still in the early stages, Facebook has yet to determine whether the attackers misused the stolen access tokens for 50 million accounts or if any information was accessed.