It’s not been a good week for Facebook.
Today the social media giant admitted almost 50 million accounts may have been compromised by an unknown attacker who got access to security tokens used so they don’t have to re-enter passwords every time they use the service, with another 40 million under question. As a result, 90 million subscribers have been kicked off and asked to login again after the company changed access tokens.
It may also affect other web sites where people use their Facebook credentials for logging in.
Facebook has some 2 billion users.
Users don’t have to change their passwords. Facebook hasn’t determined whether these accounts were misused or any information accessed.
Meanwhile on Thursday privacy advocates were up in arms after Facebook admitted phone numbers subscribers give for confirmation of two-factor authentication are also being used to target advertising.
–First the data breach:
Facebook VP of product management Guy Rosen said Friday that on Sept. 25th its engineering team discovered a “security issue” affecting almost 50 million accounts. Attackers “exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The access tokens on those accounts were reset, so those users have to log back in. In addtion, as a precaution Facebook reset access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
The “View As” feature for the time being has been shut off.