Facebook Confirms 50 Million Accounts Were Hacked

Posted on September 28, 2018 by Mehedi Hassan in Social with 9 Comments

Facebook reported a major security issue affecting around 50 million users. The company discovered a security attack whereby hackers gained access to around 50 million users’ access token, effectively giving them full access to 50 million accounts.

The flaw was reportedly caused by Facebook’s “View As” feature that lets you view your own profile as one of your friends, to better tune your posts’ privacy settings. The feature gave away the access token to attackers, giving them access to the users’ account.

After discovering the attack, Facebook has reset the access tokens of the 50 million users affected, as well as another 40 million users as a precautionary measure. These users will be automatically logged out of their Facebook account, requiring them to re-login into their accounts. Facebook says the company has fixed the issue, though it has temporarily disabled the View As feature to confirm the fix and investigate the attack further.

“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” the company said in a blog post.

Facebook says it will continue to investigate the attack, as well as the hackers behind the attack. For now, though, it doesn’t know much about the hackers or where they are based, so the investigation will likely take some time. This isn’t the first privacy and security related issue Facebook has run into in the recent months, but this is probably the worst one, so far.

Tagged with , ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (9)

9 responses to “Facebook Confirms 50 Million Accounts Were Hacked”

  1. waethorn

    No sh*t! :)

    I guess Alex Stamos is just the worst security head in the business, or else he likes to pick the losers. He's the guy that ran Yahoo security when they had numerous "hacks" that ended up being Marissa Mayer letting the US government have backdoor access into their systems.

  2. jimchamplin


  3. Lewk

    People still use facebook? :/

  4. BeckoningEagle

    Do you know if, besides "login them out" they did the responsible thing and notified each individual user?

  5. chrisrut

    Sometimes "oops" just doesn't cut it...

  6. wright_is

    And they were caught this week passing on the phone numbers used for 2FA on accounts to advertisers...

    it really seems like Google and Facebook are doing everything in there power at the moment to destroy people's faith in Silicon Valley...

    And in the meantime they have raised the number to 90 million accounts, although only the 50 million were supposedly actively hacked and external sites that used Facebook to oauth were affected too.

  7. Illusive_Man

    Why can't hackers do something useful like hack my student loans and erase them?

  8. marilynngsalo

    check you facebook Who visited Facebook profile