If you found yourself logged out of Facebook this morning, you were in good company. Facebook forced more than 90 million Facebook users to log out and back into their accounts Friday morning in response to a massive data breach.
According to Facebook’s announcement, it detected earlier this week that attackers had hacked a feature of Facebook that could allow them to take over at least 50 million user accounts. At this point, information is scant: Facebook does not know who’s behind the attacks or where they are from, and the estimate of compromised accounts could rise as the company’s investigation continues. It is also unclear the extent to which user data was accessed and accounts misused.
What is clear is that the attack—like many security exploits—took advantage of the interaction of several parts of Facebook’s code. At the center of this is the “View As” feature, which you can use to see how your profile appears to another user or to the public. (Facebook has temporarily disabled the feature as a precaution while it investigates further.) Facebook tracked this hack to a change it made to its video uploading feature over a year ago in July 2017, and how that change affected View As.
The change allowed hackers to steal Facebook “access tokens.” An access token is a kind of “key” that controls your login information and keeps you logged in. It’s the reason you don’t have to log into your account every time you use the app or go to the website. Apparently, the View As feature inadvertently exposed access tokens for users who were “subject to” View As. That means that, if Alice used the View As feature to see what her profile would look like to Bob, then Bob’s account might have been compromised in this attack.
This morning, in addition to resetting the access tokens and thus logging out the 50 million accounts that Facebook knows were affected, Facebook has also reset access tokens for another 40 million that been the subject of any View As look-up in the past year.