Facebook Confirms 50 Million Accounts Were Hacked

Facebook reported a major security issue affecting around 50 million users. The company discovered a security attack whereby hackers gained access to around 50 million users’ access token, effectively giving them full access to 50 million accounts.

The flaw was reportedly caused by Facebook’s “View As” feature that lets you view your own profile as one of your friends, to better tune your posts’ privacy settings. The feature gave away the access token to attackers, giving them access to the users’ account.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

After discovering the attack, Facebook has reset the access tokens of the 50 million users affected, as well as another 40 million users as a precautionary measure. These users will be automatically logged out of their Facebook account, requiring them to re-login into their accounts. Facebook says the company has fixed the issue, though it has temporarily disabled the View As feature to confirm the fix and investigate the attack further.

“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” the company said in a blog post.

Facebook says it will continue to investigate the attack, as well as the hackers behind the attack. For now, though, it doesn’t know much about the hackers or where they are based, so the investigation will likely take some time. This isn’t the first privacy and security related issue Facebook has run into in the recent months, but this is probably the worst one, so far.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 9 comments

  • waethorn

    28 September, 2018 - 5:14 pm

    <p>No sh*t! :)</p><p><br></p><p>I guess Alex Stamos is just the worst security head in the business, or else he likes to pick the losers. He's the guy that ran Yahoo security when they had numerous "hacks" that ended up being Marissa Mayer letting the US government have backdoor access into their systems.</p>

  • jimchamplin

    Premium Member
    28 September, 2018 - 5:45 pm

    <p>HIGH QUALITY.</p>

  • Lewk

    Premium Member
    28 September, 2018 - 9:22 pm

    <p>People still use facebook? :/</p>

  • BeckoningEagle

    Premium Member
    29 September, 2018 - 4:15 am

    <p>Do you know if, besides "login them out" they did the responsible thing and notified each individual user? </p>

  • chrisrut

    Premium Member
    29 September, 2018 - 7:06 am

    <p>Sometimes "oops" just doesn't cut it…</p>

  • wright_is

    Premium Member
    30 September, 2018 - 10:13 am

    <p>And they were caught this week passing on the phone numbers used for 2FA on accounts to advertisers…</p><p>it really seems like Google and Facebook are doing everything in there power at the moment to destroy people's faith in Silicon Valley…</p><p>And in the meantime they have raised the number to 90 million accounts, although only the 50 million were supposedly actively hacked and external sites that used Facebook to oauth were affected too. </p>

    • elleryjuly

      01 October, 2018 - 4:17 pm

      <blockquote><em>When 80% of your income is from selling data – what else would you expect? <a href="#331902">In reply to wright_is:</a></em></blockquote><p><br></p>

  • Illusive_Man

    01 October, 2018 - 1:59 pm

    <p>Why can't hackers do something useful like hack my student loans and erase them?</p>

  • marilynngsalo

    30 October, 2018 - 2:28 pm

    <p>check you facebook Who visited<a href="https://www.banglanews.ooo/2018/10/how-to-find-out-who-visited-my-facebook-profile.html&quot; target="_blank"> Facebook profile</a></p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC