MANILA, Philippines (UPDATED) – Facebook on early Saturday morning, September 29 (September 28, US time), explained why people got logged out of their Facebook accounts. They were implementing a fix to a security breach that allowed hackers to exploit a bug in the platform’s “view as” feature.

“View as” is a feature that lets people see what their own profile looks like to someone else.

In a blog post, Guy Rosen, Facebook Vice President of Product Management, said their engineering team discovered the breach on the afternoon of Tuesday, September 25. He added that it affected almost 50 million accounts. 

Rosen explained that the breach allowed the attackers to steal Facebook access tokens which they could then use to take over people’s accounts.

Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Facebook CEO Mark Zuckerberg, in a post on the social network, also said, “an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook.”

Sophisticated hack

No passwords were taken in the breach, only “tokens,” according to Rosen.

Information hackers appeared interested in included names, genders, and home towns, but it was not clear for what purposes, Facebook executives said in a telephone briefing. 

Facebook is trying to determine whether hackers tampered with posts or messages. 

Tech website Wired also notes in its report that the breach potentially affects more than just Facebook on account of its Single Sign-On service. This service lets users use their Facebook account to create accounts and login to other websites. 

The social network acknowledged that hackers could have also gotten into third-party applications linked to Facebook accounts, but said it was too early to determine whether that happened.

Attackers would have been able to meddle with Instagram accounts lined to Facebook, but could not have tampered with the social network’s WhatsApp messaging service, according to executives.

Facebook said that it noticed an unusual spike in activity on September 16 and determined 9  days later that it was malicious.

Hackers took advantage of a “complex interaction” between 3 software bugs, which required a degree of sophistication, according to Rosen. The vulnerability was created by a change to a video uploading feature in July of 2017. 

“We may never know who is behind this,” Rosen said. “This is not an easy investigation.”

Fixes

Rosen said they’ve fixed the vulnerability and informed law enforcement.

The company also reset the access tokens of almost 50 million accounts and an additional 40 million accounts subjected to a “View As” look-up in the last year. 

“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” Rosen said.”

Facebook is also turning off the View As feature until a security review is completed.

Facebook added it has “yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.”

The company has said it will reset other accounts as needed that they find were affected. 

While Facebook has said users do not need to reset their password information, you may still want to do a security review of your password information on Facebook, as well as check in case anything has been changed on your account.

If you are among those who were forced to log out, it may also still be prudent to change your password.

While Facebook has already said resetting tokens would require users to input passwords when logging in to third-party apps, it would also be prudent to check your security settings and log-out of existing sessions. See the screenshot of where to do this below.

Deeper problems

Democratic US Senator Mark Warner cited the breach as further proof of the privacy danger of companies such as Facebook and Equifax not adequately protecting the massive amounts of information they gather about people.

“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Warner said in a statement.

“As I’ve said before – the era of the Wild West in social media is over,” he added.

The breach is the latest privacy embarrassment for Facebook, which earlier this year acknowledged that tens of millions of users had personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016. 

Facebook is working with data privacy regulators as well as law enforcement, according to Rosen.

Facebook this year is doubling to 20,000 the number of workers devoted to safety and security.

When asked why people should still trust Facebook with their personal information, Zuckerberg outlined anew ways the social network is ramping up defenses. 

“As I’ve said a number of times, security is an arms race,” Zuckerberg said.

But Facebook may have deeper problems, said Jonathan Zittrain, a Harvard law professor and co-founder of university’s Berkman Klein Center for Internet & Society.

“There is a structural problem here,” Zittrain said in a tweet.

“Facebook has one of the best and most well-resourced cybersecurity outfits in the world, yet a breach of its servers appears to have compromised tens of millions of accounts in still-undisclosed ways,” he added. – With reports from Agence France-Presse and Gemma B. Mendoza/Rappler.com