Here’s what we know so far.

What actually happened?

Facebook announced that the data of at least 50 million users were confirmed to be at risk after attackers exploited a vulnerability that allowed them to access personal data. As a preventative measure, Facebook has logged out an additional sum of about 40 million accounts to ensure that no other unwarranted access was granted to the accounts.

What data were the hackers after?

Mark Zuckerberg (Facebook’s CEO) said that the company hasn’t seen any compromised accounts that have been improperly accessed, however that may change. Zuckerberg also confirmed that the hackers were using the Facebook developer APIs to obtain some information, like “name, gender, and hometowns” that’s linked to user profiles.

What data wasn’t taken?

At this moment in time, it looks like it is unlikely that private messages were accessed, and also clear that no credit card information was taken in the breach. This information is albeit subject to change as the company’s ongoing investigation progresses.

What are access tokens?

When you login, or create an account on Facebook for the first time you set a password. However, the majority of the time when you visit Facebook.com you aren’t prompted to re-enter your password. This is because access tokens keep you logged in. The token, however, does not store your password – so there is no need to change your password.

Why was I logged out of my Facbeook account?

Since the hackers were using the existing access tokens, Facebook had to nullify them by logging everyone out by generating new access tokens. Once they had done this, they also removed the feature which contained a security vulnerability allowing the attackers to exploit and gain access to accounts.

Approximately 90 million Facebook users were logged out as a precautionary measure.

When did the attack take place?

The vulnerability has existed on the site since July 207, but Facebook didn’t know anything about it, until, on September 16, 2018, it spotted a spike in unusual activity. That means the hackers could have had access to user data for a long time, as Facebook is not sure right now when the attack began.

Who were the attackers?

Evidently, Facebook is not aware of who exploited their service, but it says the FBI is conducting an investigation. Although there is a lot of room for me to speculate the possibilities here, I am not going down to the level of some other, unnamed publications that use the attack for clickbait and political gain. The Mainframe publishes content based on fact, and the truth is that in this regard we don’t have a lot of information yet.

How did the attackers get in? 

There were three bugs that led to the attack. In July 2017, Facebook inadvertently introduced three vulnerabilities in its video uploader, said Guy Rosen, Facebook’s vice president of product management, in a call with reporters. When using the “View As” feature to view your profile as someone else, the video uploader would occasionally appear when it shouldn’t display at all. When it appeared, it generated an access token using the person who the profile page was being viewed as. If that token was obtained, an attacker could log into the account of the other person.

Were WhatsApp and Instagram accounts affected?

Facebook said that it’s not yet sure if Instagram accounts are affected, but were automatically secured once Facebook access tokens were revoked. Affected Instagram users will have to unlink and relink their Facebook accounts in Instagram in order to cross post to Facebook.

On a call with reporters, Facebook said there is no impact on WhatsApp users at all.

How do I know if my account is secure?

Once you log back into your Facebook account, you can go to your account’s security and login page, which lets you see where you’ve logged in. If you had your access tokens revoked and had to log in again, you should see only the devices that you logged back in with. Facebook should display a message at the top of the app and banner at the top of its website for the accounts of users which are known to have been affected.

Is it time to delete Facebook?

After all they’ve put us through, maybe, but if you’ve been on Facebook after all they did throughout the rest of this year, then I’m sure you’re going to stick around for a little while longer.

Alex

Posted by Alex

Founder & CEO of The Mainframe