Facebook’s engineering team found out on Tuesday, that a security issue was abused and it was affecting almost 50 million Facebook users.
The attackers exploited a vulnerability in the code, that allowed them to view access tokens of other Facebook users. Access tokens are like digital keys, that allow the user to stay logged in. Without the use of access tokens, using Facebook or many other sites that use similar functionalities would be really inconvenient and slow.
A flaw in the code made user’s access tokens visible
The attackers got their hands on the access tokens abusing the “View As” functionality. After getting an access token, you are able to log in as that user. Almost 50 million users were affected. To read a more detailed and a post that is updated as the investigation goes further, you can read the Facebook’s Newsroom page.
As a security measure, Facebook reset the access tokens for the affected accounts. This meant that all these users had to log in when using Facebook the next time. The old access tokens became unusable. The attackers might have gained access to your Facebook account, but they haven’t compromised Facebook’s user database. They simply viewed the HTML source code of a specific page to see the access token.
Facebook also disabled the “View As” functionality and fixed the vulnerability. Facebook is investigating how the vulnerability was abused and is keeping the “View As” function disabled for the time of the investigation.
Facebook took a precautionary step and reset the access tokens for another 40 million users whose profile had been a subject of “View As” look up during the last year. As a safety measure, around 90 million Facebook users were forced to log in back to Facebook.
So far, there is no information if the affected accounts were misused or their information was accessed. The attackers are still unknown and there is no information where the attack originated from.
As Facebook has reset the access tokens, there is no need to change passwords. However, changing your password is never a bad thing, if you need help with generating passwords or with password management, I suggest that you read this post about passwords.