Facebook hit by worst security breach, experts warn 2.2 billion users

Experts advise users to log out and re-login from their devices

Eastern Mirror Desk Dimapur, Sep. 29: In a major blow to Facebook Inc.’s move to regain the trust of its billions of users across the globe after being hit hard by a privacy scandal in March this year, over 50 million accounts were compromised earlier this week following a massive data breach that allowed hackers to gain login access of users. The social media giant that boasts of having 2.23 billion monthly active users was earlier embroiled in a scandal involving British data analytics and election strategy firm Cambridge Analytica that harvested user-data of nearly 87 million people without their consent. It made the company’s CEO Mark Zuckerberg to testify in the United States Congress and pledge to protect user data. Facebook made a shocking revelation on Friday that it found out a security issue affecting almost 50 million accounts on September 25 and that the hackers stole access tokens of its users through one of its features called “View As.” “...it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” said By Guy Rosen, VP of Product Management, Facebook, in a statement. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he added. Facebook has said that it has taken stock of the situation by fixing the vulnerability and informing law enforcement, turning off View As” feature, resetting access tokens of almost 50 million compromised accounts, and taking precautionary measure of resetting access tokens for another 40 million accounts. “As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” it said. The social media giant said that it was not only the “View As” feature but also its new version of video uploader that opened the doors to the hackers. It added that “when the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.” Meanwhile, cyber experts have warned over 2.3 billion users to log out and log back into Facebook, or any of third-party apps that use Facebook login, according to IANS. "For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms," Chester Wisniewski, Principal Research Scientist with global cyber security major Sophos, told the news agency. Dr Gary McGraw, Vice President of Security Technology, Synopsys (Software Integrity Group), told IANS that this breach emphasises just how important software security is, and how subtle solid security engineering can be. "When a feature like 'View As' can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability," noted Dr McGraw, adding that “design flaws like this lurk in the mind boggling complexity of today's commercial systems, and must be systematically uncovered and corrected when software is being designed and built.” According to experts, they don't know for how long the vulnerability existed, who the hackers were and the extent of damage that might have been caused in terms of stealing not only one's profile data but, in this case, potentially the personal messages, pictures and chats, among others. As a precautionary measure, Facebook users should log out and re-login from their cell phone, laptop and desktop, and other gadgets. (With inputs from IANS)