Facebook hack put 50m users' private info at risk

A Facebook hack affecting almost 50 million accounts has been revealed, with the social network saying attackers compromised its security but admitting they don't yet know what data might have been stolen. The news is the latest in a series of bombshell security confessions from Facebook around digital privacy, which has led regulators and politicians to question whether greater scrutiny is required.

This newest hack is unlikely to help Facebook's argument against greater regulation and oversight. The "security issue" was spotted on September 25, the social network says. According to its early investigations, hackers were able to exploit the "View As" feature in ways Facebook wasn't intending.

"View As" allows Facebook users to see their profile as other people see it. For instance, if you lock down details like your phone number, address, college and relationship details, and other elements shared on your Facebook profile, you can then use the feature to preview what that might look like according to different levels of friendship on the site.

It's a useful way to make sure you're not inadvertently giving out more personal information than you intended, given Facebook offers multiple levels of privacy. However, it has also backfired. A vulnerability in the "View As" code allowed the attackers to steal Facebook access tokens.

These "are the equivalent of digital keys that keep people logged in to Facebook," Guy Rosen, VP of Product Management writes. In short, they're what allow you to repeatedly access Facebook on your devices without having to sign in each and every time. Problem is, with access to them, third-parties with ill intentions toward your data can also gain access.

It's not a small issue, either. With almost 50 million accounts known to be affected, Facebook has reset the access tokens to those accounts. It has also gone one step further, and reset the tokens to any page which has used "View As" over the past year. That adds another 40 million accounts to the clamp-down, Rosen says.

"As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login," the VP writes. "After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."

Facebook has fixed the vulnerability, it says, but is still going to turn off the "View As" feature until it can run through a thorough review process on what happened. Early indications suggest it was a change to the video uploading feature made in July 2017 which was responsible, inadvertently affecting the page preview in the process.

"Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," Rosen admits. "We also don't know who's behind these attacks or where they're based."

For now, the first you might know of being affected yourself is when you try to access Facebook today. If you see a notification saying you need to log in again, you'll know you're among the ninety million people at risk.