Jump directly to the content

FACEBOOK has admitted that 50million accounts were accessed by hackers in a monumental security breach – leaving them able to see all of your personal info, photos, and even private messages.

The blunder – which affected accounts belonging to Facebook chiefs Mark Zuckerberg and Sheryl Sandberg, too – was slipped out as a blog post late on Friday afternoon, three days after the attack was first discovered. Here's how it could affect you...

Billionaire Mark Zuckerberg's social network has gone from bad to worse
7
Billionaire Mark Zuckerberg's social network has gone from bad to worseCredit: AFP or licensors

Speaking to reporters, Facebook revealed the significant danger behind this hack: "Attackers could use the account as if they were the account holder."

As a precaution, Facebook logged around 90million people out of their accounts. You'll have to log back in to Facebook – that includes any apps that you might log into with Facebook, like Spotify.

"On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts," said Facebook's Guy Rosen.

We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security."

Facebook is the world's largest social network, and serves more than 2.23billion users every single month
7
Facebook is the world's largest social network, and serves more than 2.23billion users every single monthCredit: Getty - Contributor

Facebook hack – what went wrong?

According to Facebook, attackers exploited a vulnerability in the website's code.

It specifically impacted , which is a feature that lets you see what your own profile looks like to someone else.

Hackers used this feature to steal Facebook's access tokens.

Access tokens are like digital keys that keep you logged into Facebook – so you don't have to re-enter your password every time you use the app.

This means that hackers would've been able to access your Facebook account, potentially giving them access to your entire profile, your private messages and more.

"This attack exploited the complex interaction of multiple issues in our code," Facebook admitted.

"It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As.'

"The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."

Even the accounts of CEO Mark Zuckerberg and COO Sheryl Sandberg were exposed in this breach.

Making matters worse, hackers could've used this flaw to get access to other services you use.

The hack effectively convinced the attacker's web browser that they were already logged into Facebook. So if you log into any services with Facebook – like Instagram – then those accounts were entirely accessible, too.

Facebook hack timeline – when did it all happen?

Here's what you need to know...

  • The vulnerability in Facebook's code was the result of three separate bugs
  • These were created in July 2017, when Facebook created a new video upload functionality
  • On September 16, 2018, Facebook discovered unusual activity, which manifested itself as a "spike in users", according to officials
  • Facebook then launched an investigation
  • On Tuesday, September 25, Facebook uncovered the attack and found the vulnerability
  • On Wednesday, September 26, Facebook notified law enforcement
  • On Thursday evening – September 27 – Facebook said it fixed the vulnerability
  • On Friday evening – September 28 – Facebook disclosed the vulnerability to the public

Facebook hack – is the problem fixed?

Facebook says it has "fixed the vulnerability", and told law enforcement about the issue.

The world's largest social network has also reset the access tokens for the 50million accounts that Facebook admits were affected.

Facebook is also resetting access tokens for another 40million accounts that have been subject to a "View As" look-up in the last year – as a precautionary measure.

This means that roughly 90million users will be logged out of Facebook, and any apps linked to Facebook.

Facebook has also temporarily turned off the "View As" feature so it can "conduct a thorough security review".

Mark Zuckerberg reflects back on the history of Facebook and says he is sorry for all 'mistakes' during his testimony to the US Senate

Facebook hack – has your info been stolen?

Facebook says it's "only just started our investigation", so it can't confirm whether your account was "misused or any information accessed".

The company also admits that it's clueless about who the hackers are.

"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," said Facebook's Guy Rosen.

"We also don’t know who’s behind these attacks or where they’re based.

"We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change.

"In addition, if we find more affected accounts, we will immediately reset their access tokens."

Facebook said that there was no evidence private message had been accessed, but that hackers were able to "use [accounts] as if they were the account holder".

That means they could have accessed your profile information, your posts, your friends list, your photos and videos, the groups you follow, anything you've ever liked, the cache of data Facebook stores on you, and even your private messages.

However, Facebook confirmed that credit cards and passwords hadn't been stolen.

Facebook hack – how did this breach happen

Here's how it worked...

  • Facebook's systems were compromised through the 'View As' feature
  • 'View As' lets you see your profile as another specific user would see it
  • The three bugs related specifically to a re-design of the video uploader tool
  • When using 'View As', the video uploader tool shouldn't have shown up at all
  • But on specific posts encouraging people to post happy birthday greetings, it did show up
  • The second bug was that the video uploader incorrectly used Facebook's single sign-on functionality, and generated an access token for the mobile app
  • The third bug was that when the video uploader showed up, the access token was generated for not you as the user, but for the user you were looking up
  • This was discovered by attackers, who were able to use this system to look up other users and get further tokens

Facebook hack – how do you know if you were affected?

Facebook is logging 50million affected users out, as well as 40million potentially affected users – making for 90million log-outs in total.

If you're one of these people, you'll be logged out and asked to log back in.

When you log back in, you'll see a notification at the top of your News Feed explaining what happened.

However, The Sun has spoken to three Facebook users who have been logged out on Friday evening but received no notification.

We've asked Facebook for clarification on this.

If you get logged out, you should receive a notification that takes you to this page when you log back in
7
If you get logged out, you should receive a notification that takes you to this page when you log back in
The notification will take you to this page explaining what went wrong
7
The notification will take you to this page explaining what went wrong

Facebook hack – should you change your password?

Details are still muddy, but Facebook said your password won't have been compromised.

Attackers were able to log on as you and browse your profile and messages, but this wouldn't give them access to your password.

"There's no need for anyone to change their passwords," Facebook said.

Still, we think it's a good idea to change your passwords anyway, because hackers may have been able to glean details about your login credentials through information around your Facebook profile.

This goes for your Facebook password and any other passwords you use on other sites or services.

Facebook declined to tell The Sun how many UK users have been affected. Facebook also failed to take any questions from The Sun during a conference call about the hack on Friday evening.

Facebook hack – are you safe if you weren't logged out?

Facebook said users were able to access 50million accounts "as if they were the account holder".

That means it’s almost certain that private messages were accessed.

It’s possible that data will have been collected automatically by the hackers, which means that the private messages of 50million people may have been hoovered up.

That significantly broadens the scope of the breach – because those messages will have involved other parties whose accounts weren’t even accessed.

Also, anyone who is friends on Facebook with a compromised user may have had at least some of their data scooped up by hackers.

If your account wasn’t accessed directly, it doesn’t mean you haven’t been compromised in some way.

Facebook hack –will billionaire CEO Mark Zuckerberg finally stand down?

On a conference call with reporters, Mark Zuckerberg declined to answer whether he would stand down as CEO.

Instead, he said: "I’m glad that we found this and that we were able to fix the vulnerability and secure the accounts.

"It definitely is an issue that this happened in the first place.
"This underscores the attacks that our community faces."

He added: "Security is an arms race and we're continuing to improve our defences."

Facebook hack response – users are threatening to QUIT app

This may be the straw that breaks the camels back. With a third of the world using Facebook, people are concerned that the site is out of control.

After this latest hack, users are now threatening to quit the site for good.

Grace Janion, a 23-year-old PR worker in London who was forced to sign out by Facebook after the breach, told The Sun: "I received a pop-up earlier asking me to sign in again – I didn't think twice and just did it because you'd never imagine something like this to happen.

"I use Facebook as one of my main methods of chatting to friends so I feel quite betrayed by Facebook that my privacy can be breached so easily.

"I'll definitely be more cautious and less trusting in Facebook going forward."

Facebook users are threatening to quit after the breach
7
Facebook users are threatening to quit after the breach
Some users may find it tricky to sever relationships with Facebook, no matter how much they want to
7
Some users may find it tricky to sever relationships with Facebook, no matter how much they want to
The Facebook breach may be the last straw for some users
7
The Facebook breach may be the last straw for some users
Facebook's Mark Zuckerberg apologises to EU lawmakers over data leak at the European Parliament

Facebook hack – what are security experts saying about the attack?

One of the biggest concerns is that other hackers will exploit the panic around Facebook – and launch sneaky phishing attacks.

"Facebook is going by the book notifying authorities as soon as it detected this vulnerability, and it should be applauded for its quick action," said Oz Alashe, CEO of cyber security platform CybSafe.

"However, with a security issue as high profile as this one, it’s likely that phishing attacks will swiftly follow urging recipients to change their Facebook passwords via an email and then directing them to a malicious phishing site."

He added: "It’s important to be extra vigilant, to follow Facebook’s instructions on the site or app, but do not act on unsolicited emails unless you are able to verify the sender."

Tim Mackey, senior technical evangelist at Synopsys, told The Sun that users should also urgently check which apps you've granted permissions to using Facebook.

"While it is early in the investigation, the Facebook network breach shows how important an incident response plan is," he said.

"In this case, the incident response includes information surrounding access tokens. Because this issue impacted “access tokens”, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications.

"If you’ve ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they’ve granted access rights to within Facebook."

Facebook CEO Mark Zuckerberg says social media regulation is inevitable as US Congress grill him over data misuse

Gary McGraw, vice president of security technology at Synopsys, called it a "disaster".

"Another day, another software problem that leads to security disaster. Only this time it is Facebook whose software features have apparently been exploited by attackers, impacting around 90 million people," Gary told The Sun.

"Getting software security right is difficult, but not impossible. This breach emphasises just how important software security is, and how subtle solid security engineering can be. When a feature like “View As” can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability.

"Design flaws like this lurk in the mind boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built."

MOST READ IN TECH

Watch incredible vid of ants OUTSMARTING humans to solve puzzle first
SWARM INTELLIGENCE

Watch incredible vid of ants OUTSMARTING humans to solve puzzle first

Is Apple plotting a huge FREEBIE? Fans speculate after company's cryptic post
JUICY APPLE

Is Apple plotting a huge FREEBIE? Fans speculate after company's cryptic post

Gamers have hours left to claim a 'real masterpiece' title worth £35 for free
GAME ON!

Gamers have hours left to claim a 'real masterpiece' title worth £35 for free

Two beloved channels REPLACED on Sky and Virgin Media in TV guide shake-up
SWITCH OFF

Two beloved channels REPLACED on Sky and Virgin Media in TV guide shake-up

Facebook hack – did it break any GDPR rules?

Facebook appears to be in the clear when it comes to the EU's new GDPR rules – which can now fine tech firms up to €20 million or 4 per cent of turnover (whichever is greater).

Companies now have 72 hours to tell European authorities about breaches.

In this instance, it appears to have done so.

The Data Protection Commission in Ireland (where Facebook has a large HQ), said: "The Data Protection Commission (DPC) has received a preliminary notification from Facebook Ireland.

"However, the notification lacks detail and the DPC is concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.

"The DPC continues to press Facebook to clarify these matters further as a matter of urgency."

However, Facebook may still be fined if the company is deemed to have been negligent.

MOST READ IN TECH

Watch incredible vid of ants OUTSMARTING humans to solve puzzle first
SWARM INTELLIGENCE

Watch incredible vid of ants OUTSMARTING humans to solve puzzle first

Is Apple plotting a huge FREEBIE? Fans speculate after company's cryptic post
JUICY APPLE

Is Apple plotting a huge FREEBIE? Fans speculate after company's cryptic post

Gamers have hours left to claim a 'real masterpiece' title worth £35 for free
GAME ON!

Gamers have hours left to claim a 'real masterpiece' title worth £35 for free

Two beloved channels REPLACED on Sky and Virgin Media in TV guide shake-up
SWITCH OFF

Two beloved channels REPLACED on Sky and Virgin Media in TV guide shake-up

Do you trust Facebook? Let us know in the comments.

For the latest news on this story keep checking back at Sun Online.

 is your go to destination for the best celebrity news, football news, real-life stories, jaw-dropping pictures and must-see video.

Download our fantastic, new and improved free App for the best ever Sun Online experience. For iPhone click , for Android click . 

Like us on Facebook at  and follow us from our main Twitter account at .

Topics
YOU MIGHT LIKE
RECOMMENDED FOR YOU
MORE FOR YOU