40 million more also having their access tokens reset

Sep 28, 2018 17:52 GMT  ·  By

Guy Rosen, Facebook's VP of Product Management, announced that around 50 million user accounts are affected by a security issue in the "View As" feature introduced via a video uploading code change from July 2017.

As Rosen's report says, the attackers were able to steal Facebook access tokens by exploiting a bug in the "View As" profile feature which helps users see their own profile as other users would see them.

The stolen access tokens can be used by the threat actors behind the attack to take over affected Facebook user accounts, effectively allowing the attackers to use the Facebook app as without having to re-enter the passwords each time.

Facebook reset the access tokens of all affected 50 million users to protect their profiles' security and is also resetting another 40 million accounts which have used the "View As" feature during the last year.

90 million Facebook users will have their access tokens reset by the social network's security team investigating the security incident and will have to log back in the first time they want to use their Facebook accounts or Facebook apps which use Facebook Login.

90 million Facebook accounts could have been hacked into because of the "View As" security bug

All users who had their access token reset will receive an alert at the top of their Facebook news feed explaining in detail why they had to sign back in before being able to use their Facebook account.

As an extra precautionary measure, Facebook has also decided to disable the "View As" feature for all platform users while the security incident is still being reviewed.

Rosen says that Facebook's security team doesn't yet know what data the attackers had accessed to and if any of the affected accounts have been misused in any way until the vulnerability was found.

Facebook says that users whose accounts were compromised during this attack and had their access tokens reset do not need to change their passwords, and recommends as a precautionary measure for anyone concerned of possibly being involved in the incident to go to the Security and Login section in their profile settings and log out of all apps