The social media site, Facebook has about 2.2 billion monthly active users, as of their last quarterly earnings report. And today, the company announced in a blog post that somewhere around 50 million of their users were affected by an account takeover attack. Another 40 million also may have been affected, but that number was mentioned out of precaution rather than certainty. Attackers were able to exploit a vulnerability found earlier in the week in some of its code.
An account takeover can happen when an unauthorized party gets access to an account. Often this happens when the account has a weak password. It can also be via malware that gets installed when someone clicks a malicious link or attachment, or by exploiting to code vulnerabilities, as was the case here, among other ways.
Facebook executives said the vulnerability was within the “view as” feature of Facebook, which allows users to see their own profile as others see it. As a result, the intruders stole the tokens that allow the individual users to stay logged in to their accounts. It has disabled those tokens for the 50 million it knew were affected and an additional 40 million that it was not certain of. This means those logged out users will need to log in again.
1. It is always recommended that you apply patches and updates as soon as they are made available for any product you have installed on your devices. While that wouldn’t have helped in this situation, it most certainly stops a great number of attacks.
2. Also, make sure that you use unique passwords on all of your online accounts. Yes, this may be a bit overwhelming, but it really is important. Password reuse occurs often and cybercriminals have been very successful at using this method in account takeovers. This has been blamed a lot recently, such as in a recent Dropbox data breach, as well as an Epic Games attack earlier in the year. Be sure to make them a minimum of eight characters and include upper and lowercase letters, numbers, and special characters.
3. And since account credentials are often stolen when malware hits any kind of device, be sure not to click on links that are not expected, are from unknown senders, or about which you are not 100% certain are safe. If you can’t make that determination, pick up the phone and call the sender to verify it. Most of the time, your instincts are correct.
It isn’t known who did this or if any of the information has been misused, but the FBI is on it. The “view as” feature is currently disabled until this issue can be resolved. Consider changing your password whether or not you were automatically logged out. Since we don’t know many details yet, it’s always safer to do that in cases like this.
How do you know if you were one of these 90 million people? If you were logged out automatically, you could be. However, Facebook has also put a notification in the news feed of those affected. That should show up when you log in next.