Facebook has just announced that a security breach was discovered earlier this week, putting almost 50 million user accounts at risk.
Despite the fact that access tokens were stolen from millions of user accounts, Facebook admitted it didn’t know whether any personal information was gathered or misused, and that it was still in the early stages of its investigation.
The social media giant insists that the issue was taken very seriously and disclosed to law enforcement authorities, before finally getting fixed.
Technically-speaking, the root of the breach was the discovery of a loophole in the code for Facebook's “View As” feature, which lets people see what their Facebook profile looks like to someone else.
This flaw temporarily allowed hackers to steal access tokens: saved keys that keep users logged in so they don’t have to re-enter their passwords. Once logged in, hackers were able to take over a personal account and “pivot from that account to others to steal more tokens.”
According to Facebook, this became possible after a change was made to the video uploading feature on the platform in July 2017, which directly impacted the “View As” option.
As a result, the social media platform had to force 50 million affected accounts to log out, plus 40 million more that have used the “View As” feature since the last year. Almost 90 million users will have seen a statement from Facebook explaining what happened exactly.
The question on everyone’s mind is: what kind of data may have been accessed during the breach? Well in theory, the worst thing an attacker could find would be anything published on your Facebook profile that you yourself can view: names, dates of birth, family members, and likely years of photos. However, Facebook also made it clear that “there is no need to change your password”.
So, now that everything has almost been settled, what could you concretely do in order to protect yourself from this kind of accidental vulnerability?
First thing's first, don't panic! Second, and most importantly, make sure to set up two-factor authentication on your online accounts, using an authenticator app, instead of relying on SMS to deliver the codes. Myki is perfect for managing your 2FA codes, storing your passwords, and much more!
Fortunately, no passwords were compromised this time around, but that’s not always the case with data breaches. Use Myki’s Was I Hacked feature to make sure your private information hasn’t already been compromised in a past data breach.
Now that you’re fully armed with the necessary tools to securely manage your digital identity, make sure to keep an eye out for our latest security news and developments.
Let’s stay safe out there!