Facebook users warned after security breach affects 50 million accounts
Facebook users have been warned to be vigilant by cyber security watchdogs after it emerged the tech giant had suffered a security breach affecting 50 million users.
In a post on the social network’s news site, Facebook vice president of product management Guy Rosen said the breach had been discovered on Tuesday.
But executives waited until Friday to announce the news to users.
Mr Rosen said: “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The firm later said the issue had arisen due to the combination of three distinct bugs which meant the hackers were able extract the access tokens of other users.
It was unclear whether any UK users had been hit, but some reported getting a message when they tried to log in that said: “Recent activity may have affected your account’s security, so we’ve locked it.
“We’ll walk you through a few steps to confirm your identity and help you access your account.”
If you've been logged out of your account and asked to sign back in, it’s because we've discovered a security issue and are taking immediate action to protect people on Facebook. Learn more https://t.co/XLcHGYFBu2
— Facebook (@facebook) September 28, 2018
Mr Rosen outlined the action Facebook had taken since the discovery, including fixing the issue and reporting it to law enforcement.
It also reset the access tokens of a further 40 million accounts that have been subject to a ‘View As’ look-up in the last year as a precaution.
A spokesman for the UK’s National Cyber Security Centre (NCSC) warned users to look out for possible phishing attacks – where an attacker poses as a legitimate organisation to trick a user into opening a malicious message, email or text.
This can lead to the installation of malware, freezing of a system through ransomware or theft of sensitive information which can be used to make purchases, steal funds or facilitate identity theft.
Data breaches make users vulnerable because scam messages can seem more credible – for example appearing to come from a site they visit regularly.
The NCSC said: “Usually, if you are the target of a phishing message, your real name will not be used.
“However, if fraudsters do have your name, people will need to be extra vigilant around any message that purports to be from an organisation they deal with – especially when there are attachments or links which take people to sites asking for more personal information.”
Facebook has announced a security issue affecting almost 50 million accounts. Our statement and advice to users can be found here https://t.co/Sv8aRAVPshpic.twitter.com/bJuD7cElxY
— NCSC UK (@NCSC) September 28, 2018
James Dipple-Johnstone, of the Information Commissioner’s Office, said: “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
“We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”
The Republic of Ireland’s Data Protection Commission (DPC) said it was notified of the incident by Facebook, but had been given no information on the nature of the breach or the extent to which Irish users may have been affected.
A spokesman said: “The DPC continues to press Facebook to clarify these matters further as a matter of urgency.”
Police Scotland said: “As yet, we have no reports on anyone in Scotland being affected, however all users are urged to use best practice when online to prevent their data being compromised.”
Facebook has more than two billion users worldwide, and has been hit by a series of problems this year, including the news that data analytics firm Cambridge Analytica had gained access to personal data from millions of user profiles.
It emerged in March that Cambridge Analytica had used the harvested data to build an algorithm delivering targeted political adverts based on the user’s psychological profile.
More serious questions for Mark Zuckerberg and Facebook – this is why @CommonsCMS will continue to press for him to give evidence to our parliament – Facebook Network is Breached, Putting 50 Million Users’ Data at Risk https://t.co/NoscOUPH1H
— Damian Collins (@DamianCollins) September 28, 2018
So far, Facebook’s founder Mark Zuckerberg has refused to meet with MPs examining the Cambridge Analytica scandal.
MP Damian Collins, chairman of the Commons Digital, Culture, Media and Sport select committee, tweeted: “More serious questions for Mark Zuckerberg and Facebook – this is why @CommonsCMS will continue to press for him to give evidence to our parliament – Facebook Network is Breached, Putting 50 Million Users’ Data at Risk”.
