Posted by on Oct 1, 2018 in Security Incidents, Social Networking
No Comments

Facebook logged me out of my Facebook Account and Messenger. It was unusual so decided to investigate. I check and update my security and privacy settings regularly. I have MFA (Multi-Factor Authentication) and I also delete sessions for devices that I am no longer using.

Upon investigation, I found out that Facebook has been breached. This breach effect approximately 50 Million users. The breach was discovered by Facebook on 25 September 18.

Upon further digging, I discovered that there were 3 vulnerabilities that led to this data exposure. These vulnerabilities were present since July 2017 but Facebook found out about the vulnerabilities on 16 September 18 when they experienced a dramatic increase in unusual activity. This means that the hackers could’ve had access to user accounts for a long time. Facebook is not sure when the events began.

Mark Zuckerberg Facebook’s CEO said that they have not seen any accounts compromised and improperly accessed. He said the hackers were using Facebook developer API to obtain user information linked to user’s profile like age, gender, hometown etc.

“Articles about the data breach by the Guardian and the Associated Press were temporarily flagged as spam on Facebook, preventing users from sharing news of the attack on their profiles. The company attributed the error to its “automated systems” and apologized, but did not provide further explanation.”  (Julia Carrie Wong from “The Guardian”)


What data was breached/compromised?

Facebook said Private Messages and Credit Card details were not stolen, but there is an investigation going on. Facebook doesn’t have full information on the breach at this stage so this might change. Facebook is also not sure if Instagram accounts were affected by the breach but Instagram accounts were automatically secured.

The vulnerabilities leaked access tokens of users which can use used to log in to log into the account of the user whose access token has been obtained.


Is the Vulnerability fixed?

According to Facebook, the vulnerability was fixed on 27 September and then began resetting the access tokens to protect user accounts.

Access Tokens?

Access tokens/session tokens is a piece of cryptographic information that is used by browsers/devices to keep a user logged in after they enter their username and password. If you’ve been logged out of your Smartphone or PC it’s probably because Facebook revoked session tokens for almost 50 million users.