After cyber criminals hacked into nearly 50 million Facebook users’ accounts, the company says there is no need to change your password. That may come as a surprise since changing one's password seems to be the standard advice after every digital security breach.
It’s because hackers didn’t steal passwords this time; they stole access tokens. When it announced the security breach, Facebook explained these tokens act as digital keys that allow users to stay logged in instead of re-entering their passwords each time. The hackers were able to sneak in because of a coding glitch in the “View As” feature that lets people see what their own profile looks like to someone else.
And while the company is aware the hack affected almost 50 million users, it says an additional 40 million users are getting lumped in as a precautionary measure. Facebook said these accounts were possibly affected because someone else used the “View As” feature to look up the profile within the past year.
The social network fixed the vulnerability, turned off the “View As” feature for now and reset access tokens for the 90 million users who may be compromised.
If you were one of those people, you would have found yourself unexpectedly logged out of Facebook over the weekend on all your devices. When you log back in, a notification will appear at the top of your News Feed explaining what happened.
Hackers getting their hands on access tokens means they could essentially take over people’s accounts.
Damon McCoy, assistant professor of computer science and engineering at New York University, explained to NBC News what cyber criminals might do with the stolen information.
“Some examples of how a Facebook account might have been misused include adding/deleting friends, post, Facebook apps, comments, likes, private messages,” McCoy said. “Any attack could also have changed the privacy setting of any existing content or changed the default privacy setting of future posts, comments, or likes.”
CEO Mark Zuckerberg said in a statement that the investigation is still very early and they don’t yet know of any misuse regarding the accounts.
“So far,” he said, “our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts.”
But it’s important for all Facebook users to take some important security steps. Go to Settings, then Security and Login to see the list of places you are logged into the social network. Make sure those are all familiar to you. If any look suspicious, click on the three dots next to it and click “Not You?” to report it to Facebook. There’s also a one-click option to log out everywhere.
Guy Rosen, vice president of product management with Facebook, held a conference call with the media and said hackers did not steal any credit card information. But he said these cyber thieves could have accessed other third-party apps that were using a Facebook login and users will need to log in again to those apps. “If you have a Facebook account that has been affected which is linked to an Instagram account,” he said, “what you have to do today is to unlink and relink that account to Instagram.”
To check connected apps, go to Settings, then Apps and Websites. These are the companies you logged into using your Facebook account. If any company pops up that you don’t recognize, report it to Facebook and get rid of it. Finally, users should look at their accounts on all of those linked apps and websites to make sure nothing suspicious is going on.
Until next time.