All you need to know about the Facebook security breach


The security breach has affected 50 Facebook million users. Image: Niall Carson/PA Wire

Saturday, September 29, 2018

Facebook announced on Friday afternoon that 50 million Facebook accounts had been breached. Here is everything you need to know about the cyber attack.

The social media giant said hackers had exploited a vulnerability in Facebook's code involving the "View As" feature, which lets users see what their own profile looks like to someone else.

People that used the feature are at risk, with hackers able to steal access tokens - the equivalent of digital keys that keep people logged in to the Facebook app without the need to re-enter a password - and potentially take over the account.

The security breach was discovered on Tuesday, but executives at the social media giant waited until Friday to announce the news to users.

Facebook has reportedly now fixed the issue, and has reported it to law enforcement.

Facebook has more than two billion users worldwide and has been hit by a series of problems this year, including the news that data analytics firm Cambridge Analytica had gained access to personal data from millions of user profiles.


Who was affected by the breach?

Affected users were automatically logged out of their accounts

Facebook have reset the access token for the 50 million affected users, as well as another 40 million accounts.

If you had to manually log in to your account on Friday, it is likely your account was compromised.

Facebook has not revealed whether any UK users were hit, or where the hacked accounts were based.

Vice-president of product management at Facebook, Guy Rosen, said the attack could have given the hackers access to other apps if a user had logged into them using their Facebook name and password - and said the firm was investigating whether there was any access to Instagram accounts. He confirmed, however, that messaging app, WhatsApp, was not impacted by the breach.


What next?

Facebook users could be at risk of phishing attacks following the breach

While some accounts have been automatically logged out, no one needs to change their passwords, Facebook has said.

Those who were not logged out automatically, but want to log out as a precaution, should visit the "Security and Login" section which lists all the places a user is logged in to Facebook.

People can use the one-click option to log out of Facebook on all PCs and devices it may have been accessed it on.

A spokesman for the UK's National Cyber Security Centre (NCSC) warned users to look out for possible phishing attacks - where an attacker poses as a legitimate organisation to trick a user into opening a malicious message, email or text.

The NCSC said: "Usually, if you are the target of a phishing message, your real name will not be used.

"However, if fraudsters do have your name, people will need to be extra vigilant around any message that purports to be from an organisation they deal with - especially when there are attachments or links which take people to sites asking for more personal information."