Facebook revealed today that attackers successfully exploited a vulnerability in its code in such a manner that may have allowed unauthorized parties to access information in, and take control of, up to 50 million accounts.
According to a blog post written by Guy Rosen, Facebook’s VP of Product Management, it became clear to Facebook personnel on Tuesday that “attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
In response to the discovery, Facebook claims to have fixed the vulnerability, notified law enforcement, and temporarily disabled the “View As” feature until it completes a thorough security review.
At this point, Facebook is unsure as to what unauthorized parties actually did after exploiting the weakness – the firm does not know who is behind the attacks, nor if any accounts were actually misused or any information inappropriately accessed.
So, what do you need to do?
1. First of all, despite some media claims to the contrary, there is no need to reset your Facebook password. If it makes you feel more comfortable to know: I am not resetting mine. And, I wish experts would stop advising people to make changes out of “an abundance of caution” (or using similar terms) – we do not want to become The CyberSecurity Experts Who Cried Wolf. (I have discussed this issue numerous times, including with regard to Twitter’s similar recommendation earlier this year.)
2. Some “experts” have suggested that people visit Facebook’s “Security and Login” Settings, and use the feature provided there to log out of all of your active Facebook sessions and re-log in to each one. Personally, I think that, at least as of this point, such a process is overkill, and I will not be taking such action for my own Facebook account.
3. As I have said before, whenever using social media, keep the following in mind: If you have information that you don’t want the public to have – do not upload it to Facebook. Do not rely on privacy settings – do not upload it. As I wrote several months ago, “History and experience teach us to assume that every significant piece of software has, or will eventually have, bugs. Facebook is no exception. While it is fine to use privacy settings, do not rely on them to protect truly confidential information – keep such data off of social media.” Today’s announcement is a perfect example.
4. It should go without saying – but, sadly does not: If you are not already using multi-factor authentication for your Facebook account, turn it on.