Friday, Mark Zuckerberg, the CEO of Facebook, announced that hackers gained access to 50 million accounts. How is Facebook handling the incident?
The company says it does not know who the hackers were or where they were located. It does, however, say that the hackers gained access by exploiting a bug in Facebook’s code. The bug granted them access to 50 million access tokens. These tokens are what keep a user signed in after they leave or close Facebook.
With these access tokens, the hackers could log in as the users. They could post to Facebook and send private messages. Zuckerberg’s own account was also at risk.
But the company says that it does not appear that the hackers did anything with the accounts before it caught the breach. Zuckerberg told reporters Friday, “We do not yet know if any of the accounts were actually misused.” Also, Facebook also says that it has fixed the programming error.
Guy Rosen is Facebook’s vice president of product management. He said, “We haven’t yet been able to determine if there was specific targeting” of particular accounts. “It does seem broad. And we don’t yet know who was behind these attacks and where they might be based.”
Thomas Rid is a professor at the Johns Hopkins University. He said, “Nothing we’ve seen here is so sophisticated that it requires a state actor. Fifty million random Facebook accounts are not interesting for any intelligence agency.”
Also, Facebook has reported the breach to the FBI and European authorities.
Jake Williams is a security expert at Rendition Infosec. He said he’s concerned that the Facebook breach might have affected third party apps connected to Facebook. Many websites allow users to login using their Facebook credentials. Williams said, “These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site.”
Facebook confirmed that third party apps and sites, including Instagram, was at risk. “The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves,” said Rosen.
To combat the problem, Facebook reset the access tokens for all 50 million user accounts. It also reset another 40 million it considered at risk. Users now simply need to log back in. Rosen says that users do not need to reset their passwords. Security experts, however, say that it wouldn’t hurt to take that extra step.