….and if you were logged out of your account last Friday or somehow prompted to sign in again, there’s a good chance that yours was among those that were affected.
On 28 September 2018, the social media giant announced that an unprecedented security issue affected almost 50 million user accounts. While the company claims that it has been able to address the vulnerabilities that made the platform vulnerable to the attack, they did acknowledge that the culprits were likely to have seen everything in a victim’s profile.
What remains, unclear, however, is whether the hackers were also able to access everyone’s private messages or if any personal data mined from the accounts were used improperly.
How It Happened
It all started with Facebook’s “View As” feature, which allows users to, as the name suggests, view their account as someone else, such as a friend or acquaintance on the platform, or even as a complete stranger.
The feature’s code apparently still contained the box that allows people to wish friends a happy birthday, and thus provided the opportunity to post a video onto a user’s page. This loophole thus enabled the video uploader to gain access to an access tag, which came with permissions from the app.
Unfortunately, a third bug meant that the access token generated in the previous instance ended up being for the person being looked up on the “View As” feature instead of the one who was actually viewing the profile in question. This, of course, gives the attackers a foothold on the said account, letting them perform the same actions and garnering additional access tokens.
Now, it’s bad enough for intruders to take over one person’s account in such a manner, but given Facebook’s global reach, the company ended up having to log out not just the 50 million people confirmed to be affected by the attack, but also the additional 40 million upon whom the “View As” tool was used in the previous year.
Why The Breach Could Affect Your Security Beyond Facebook
Right now, you might be thinking, “Hmm, so what? I only post cat videos on my wall anyway. Why should I worry?”
Well, here’s the thing, if you’re like majority of active Facebook users, you probably use your account to log in to other sites and services on the Internet, right? Instagram, Twitter, Foodpanda, Spotify, and even some online publications and retailers all allow its users to generate accounts via Facebook rather than going through the trouble of having to create a new one every single time.
After all, who can remember all their passwords for, say, 15 different websites or apps? Ain’t nobody got time for that.
But you see, there’s the rub. Thanks to the “Single Sign-On” feature, those access tokens that the hackers were able to generate through the breach gives them access to other third-party apps that rely on the Facebook log-in to verify your identity.
Long story short, those stolen access tokens enable hackers to potentially gain access to virtually all your user accounts (except the ones that aren’t linked to your Facebook profile) on the Internet.
What You Can Do
While there still haven’t been any reports on the attackers hacking into third-party accounts since Friday and despite Facebook indefinitely suspending the “View As” feature, it’s quite clear that anything and everything on your profile has been exposed if your account was affected.
Sure, cat videos are harmless, but your full name, birth date, email address, and mobile number are also crucial confidential information that can be used to verify access to bank accounts or credit cards, and that’s just for starters. If you’ve ever posted anything incriminating on your wall, even if you restricted access to just yourself, it could possibly be used to extort money or favors from you in the wake of the breach.
Facebook’s advisory isn’t exactly calling for its users to change their passwords, but doing so surely won’t hurt. If you already use Facebook’s sign-in option, now would also be a good time to log out of the third-party sites or apps that this applies to, and then try logging in again once you’ve modified your password.
Lastly, and this should go without saying, but perhaps we really should pay closer attention to what we post on social media. If a photo, video, or post could embarrass, or worse, endanger you in any way if it were to become public, you should probably delete it, or better yet, refrain from putting it up at all.
Stay safe, everyone.