Facebook Hacked: 50 million Accounts Affected

On September 28, 2018, Facebook announced that it had suffered a major security breach. The social media giant simultaneously announced that 50 million user accounts were accessed by unknown attackers. The discovery was made by Facebook engineers on the previous Tuesday and that the attackers managed to seize control of the affected accounts. Since the announcement, Facebook has logged out the 50 million breached users and a further 40 million vulnerable accounts to prevent further exploitation of user accounts by the unknown attacks. It is generally seen by many that Facebook has had a torrid time of late this year, this major security incident may be the icing on the cake.

According to Facebook, the attackers managed to seize control of user accounts by exploiting three distinct bugs in Facebook's code. These bugs allowed the attackers to steal the digital keys the company uses to keep users logged in. As it was the digital keys that were stolen users are not required to change their passwords with Facebook having to reset the keys for all those affected. In a call to reporters CEO Mark Zuckerberg, whose own account was compromised, said that attackers would have had the ability to view private messages or post on someone's account, but there's no evidence that this occurred.

Facebook revealed to the public that this latest security incident involved bugs in Facebook's “View As” feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal the digital keys, known as “access tokens,” from the accounts of people whose profiles were searched for using the “View As” feature. The attacker would then move along the users Facebook friends to take possession of those accounts as well.

facebook hacked millions affected

In the public statement made by Guy Rosen, Facebook's vice president of product management, it was stated that the bug which affected how the "View As" feature interacted with Facebook's video uploading feature for posting "happy birthday" messages was more than a year old. Despite this, it wasn't until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack.

All three bugs exploited by the attacker were linked to the “View As” feature. In an attempt to calm the nerves of the public Rosen concluded,

“To protect people’s accounts, we’ve fixed the vulnerability. We have also reset the access tokens of the almost 50 million accounts we know were affected and we’ve also taken the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a View As look-up in the last year. Finally, we’ve temporarily turned off the View As feature while we conduct a thorough security review.”

Trust Eroded

According to Thomas Brewster, writing for Forbes, this incident can be seen as a disaster for Internet security. According to Brewster, this data breach, and others like it, prove that although companies like Facebook and Google to a better job of protecting data than smaller companies they are not invulnerable to attack. When an attack successfully targets a company like Facebook the damage caused can be exponential. When this is viewed with Facebook’s recent history in mind, meaning the Cambridge Analytica scandal, more users are likely to question the value of sticking with the service. Incidents such as these further erode the trust users have in the company while simultaneously tarnishing an already tarnished image.

While this instances can be devastating to companies and users they do happen. These can result in companies been hit with major fines by regulators. Uber, the popular ride-sharing application, has experienced this more than once. Recently Uber is reported to have paid 148 million USD to settle out of court. The case directly relates to the company attempting to hide the fact that it the exposed data of 57 million customers and drivers in 2016. Data breaches are becoming a daily reality but users are not powerless in attempting to prevent them from happening.

Precautions Users can take

In light of the recent Facebook data breach, the New York Times published an article on three easy precautions users can take to help prevent becoming a victim of a data breach. The first measure that can be adopted is by doing a device audit. This involves using the “Security and Login Page” provided by Facebook. Here you are able to see a list of devices that are signed into your account, as well as their locations. If you see an unfamiliar gadget or a device signed in at an odd location, you can click the “Remove” button to remove the device from your account and prevent that device from logging on in future.

The second bit of advice given in the article is to change your password. Although Facebook confirmed that users do not need to change their password as the accounts were compromised through the stealing of digital keys, it does not hurt to be extra cautious. When changing your password it is advised that it should be complex and not used on another platform or website. Users can also use password managers which are designed to allow users to keep all their passwords in a digital vault that can be opened with one master password, and they can also automatically generate complex passwords when needed.

Finally, turn on two-factor authentication. Facebook already has this feature as well as Google. It involves text messaging a unique code to your phone that you must type in after entering your password. This way, even if someone gained access to your password, it would be difficult to log in without that code. These measures can easily and readily be adapted for other platforms and websites and can help prevent the user from becoming a victim.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal