Nearly 50 million Facebook user accounts were breached in the latest string of security lapses from the social media company. The breach was discovered Tuesday afternoon.
The attackers were able to exploit a feature in Facebook’s code that lets people see what their own profile looks like to someone. Also known as the “View As” feature, this feature was ironically created to give users more control over their privacy.
Instead, attackers were allowed to attack by using the vulnerability in the “View As” feature, stealing Facebook access tokens which could then be used to take over people’s accounts. These access tokens were built to keep people logged into Facebook to eliminate the need of having to re-enter their password time and time again.
So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. But this, of course, may change as we learn more.”
— Mark Zuckerberg
As a precaution, Facebook has reset the tokens of nearly 50 million accounts that were affected, and an additional 40 million accounts that used “View As” in the past year. Which could explain why there were so many reports from users getting booted out of their accounts and being asked to sign in again this past week.
Facebook is stating that there is no need to reset your password, though gauging the tanking confidence in the social media giant, we suggest you go ahead and reset it anyways.