My iPhone was installing an update for the Facebook app. I saw I had a Facebook notification, and, my HTC U11 was sitting next to me. So, I picked it up and tried to check out the notification on there. However, Facebook required me to log in. I thought little of it. After all, I just got a new iPhone, maybe logging in with it expired my tokens on all my devices? I had to log back in on the web and my iPhone, as well as all my chat sessions. Finally, I stopped reading up on the depressing Kavanaugh hearings and instead checked my tech news articles. I quickly found my answer.
Facebook was hacked.
A security flaw in Facebook allowed hackers to gain access to the personal information of 50 million users, with potentially 40 million more. Facebook forced all 90 million users to reauthenticate. Over half of those logging back in had to do so because Facebook exposed their data to a third party. Facebook did not tell individual users if hackers accessed their data.
Here’s how it happened and what you need to do.
The Hack
When you log in to Facebook or any other service, you expect that you won’t have to log in for a while, at least not on that device. This is due to a secure access token. It is a little piece of hashed data that allows you to stay logged into your account. It contains your email address and is encrypted in a way that only Facebook can decrypt to verify that your device has been authenticated already.
All you need to understand is this token allows you to use Facebook on a device without needing to log in every time.
The hack took advantage of the “View As” feature in Facebook. This feature was meant to protect users’ privacy, allowing them to check that their profile doesn’t make a large amount of information available to the public. It also allows you to ensure that your posts aren’t visible by specific people, such as coworkers or stalkers. It was introduced to help us get peace of mind about our security on Facebook. Turns out, Facebook also made spoofing identities easy through this tool.
The hackers were able to create access tokens using a few bugs in Facebook’s systems. Using vulnerabilities in Facebook’s video platform that have existed since July of 2017 and “View As,” a feature that has been on Facebook for many more years, the hackers were able to generate actual authentication tokens, and log in as any user on Facebook. That means everything that’s private on the service, viewable to only you, could have been accessed. The hackers also could have chosen to completely take over your account, if they wished. Facebook’s security wouldn’t even recognize these as new sessions, so users likely weren’t warned that someone logged into their account with an unrecognized device.
What You Need to Do
Fortunately, there’s nothing you have to do. Facebook already took action by throwing out all old access tokens and issuing new ones. By doing so, the company locked out anyone who didn’t have your password.
However, in case changes were made to your account, check your privacy settings. You should ensure that nothing is now being made public that wasn’t before. You should also consider changing your password. Though extremely unlikely, hackers could have data that leads to your password. However, I can say with near 100% certainty that, from Facebook’s description, your password is likely safe.
You should also enable two factor authentication on Facebook. You can do this in Settings and Security or Privacy, depending on the client. Two factor authentication requires a login from an authentication app like Authy (which you absolutely should be using), or by your cellphone number. While Facebook may do sketchy things with any data you provide, including your phone number, it will improve your security on Facebook.
Facebook’s Response
Facebook does not know what information was taken, if any, from the 50 million accessed accounts. The company explained that the other 40 million users with revoked tokens were subject to a “View As” feature during the year. Facebook cannot tell us whether or not hackers have information on all 90 million of these users. The “View As” feature has been disabled while the company conducts a security review.
Facebook has apologized for the hack. The European Union may also punish the company for a violation of GDPR for making users’ information public. The U.S. may also hold Facebook accountable for the leak. However, it’s likely that, beyond the scorn of their users, Facebook will not see repercussions.
Want Revenge?
If you’d like to send Mark Zuckerberg a message, you could decide to keep your account active, but remove all personally identifying information and photos from it. Basically, you’d be using Facebook only for Messenger and a registry of your friends. Facebook feeds off your data, using it to target you with advertising, so, without it, you’re cutting into Facebook’s ability to target users. This reduces the effectiveness of ads. Basically, you can boycott and still use Facebook, if you’re careful about it. You can also, of course, leave Facebook behind.
Sources:
- Pedro Canahuati, Guy Rossen, Facebook
- Juli Clover, MacRumors
- Sara Perez, Zack Whittaker, TechCrunch