Facebook announced on Friday afternoon that 50 million of its accounts had been breached.
Here is everything you need to know about the cyber attack.
- What happened?
In a post on the social network’s news site, Facebook vice president of product management Guy Rosen said a security breach affecting 50 million users had been discovered on Tuesday.
While the investigation is in its early stages, the firm said the hackers had exploited a vulnerability in Facebook’s code involving the “View As” feature, which lets people see what their own profile looks like to someone else.
In a later post, Facebook said the vulnerability had arisen from a combination of three distinct bugs, which meant the hackers were able extract other users’ access tokens – the equivalent of digital keys that keep people logged in to the Facebook app.
It explained that when using the “View As” feature, the code had not removed the box that allows people to wish friends a happy birthday and incorrectly provided the opportunity to post a video.
In turn, the video uploader incorrectly generated an access tag that had the permissions of the Facebook mobile app. The third bug meant that the access token generated was for the user being looked up, instead of the person doing the viewing.
Pedro Canahuati, vice president of engineering, security and privacy, said: “The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”
- Who was affected?
Facebook has not revealed whether any UK users were hit, or where the hacked accounts were based, only saying that it had affected almost 50 million of its more than two billion users.
Mr Rosen said the attack could have given the hackers access to other apps if a user had logged into them using their Facebook name and password – and said the firm was investigating whether there was any access to Instagram accounts. He confirmed, however, that WhatsApp was not impacted by the breach.
- What has Facebook done?
Facebook says it has already fixed the vulnerability and has informed law enforcement of the attack.
It has reset the access tokens of the hacked accounts, as well as another 40 million accounts that have been subject to a “View As” look-up in the last year.
As a result, around 90 million people were having to log back in to Facebook, or any of their apps that use Facebook Login.
- What should I do to protect my account?
Following the announcement of the breach, Facebook issued guidance on the next steps to take.
While some accounts have been automatically logged out, no one needs to change their passwords, the firm said.
Those who were not logged out automatically, but want to log out as a precaution, should visit the “Security and Login” section which lists all the places a user is logged in to Facebook.
People can use the one-click option to log out of Facebook on all PCs and devices it may have been accessed it on.
Anyone who has difficulty logging back in should visit Facebook’s help centre.