If you were required to re-enter your password in order to log in to Facebook today (28 September 2018), there’s a good reason: Facebook this morning revealed that it had suffered a massive breach, compromising as many as 50 million user accounts.
So if you were required to log in again today, you are one of 90 million Facebook users that was forced to re-enter their Facebook credentials.
Why Facebook required nearly twice as many users as those they are estimating were effected to re-enter their credentials is unclear, but we assume it is because a) they are estimating how many were affected based on certain metrics (unknown to us) and b) they don’t actually yet know who all was directly affected, and so are erring on the side of over-inclusion (not a bad thing).
According to the New York Times, Facebook found that “attackers had exploited a feature in Facebook’s code that allowed them to take over user accounts. Facebook fixed the vulnerability and notified law enforcement officials.”
The BBC says that the exploited feature was the feature known as “View As”, explaining that View As “is a privacy feature that allows people to see what their own profile looks to other users, making it clear what information is viewable to their friends, friends of friends, or the public.”
According to Facebook’s head of security, Guy Rosen, the hackers found “multiple bugs” (eep!) which allowed them to take over user accounts.
The attackers did not get passwords, but rather access tokens. While they are not technically cookies, they are similar in the way that they work inasmuch as they are what keeps you logged in to Facebook rather than your having to re-enter your password every time you go to Facebook. So if you can imagine that a cookie-like thing was accessed, then you just need to generate a new cookie-like thing, basically voiding the previous one which the hackers may have accessed.
This is why you had to log back in to Facebook today – because Facebook logged you out in order to clear out the compromised access token for your account.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
Explains Rosen, “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
With 2billion active users per month, 50million is ‘just’ 2.5% of all active Facebook user accounts, but somehow that’s not much comfort.
Said Facebook CEO Mark Zuckerberg, of the incident, “This is a really serious security issue. This underscores there are just constant attacks from people who are trying to take over accounts and steal information from our community. This is going to be an ongoing effort.”