Another day, another giant privacy and security controversy, care of our friends at Facebook.
On Sept. 28, Facebook quietly published an update outlining a security issue their engineering team had discovered that affected the access tokens of nearly 50 million accounts.
Cybersecurity expert Kaspersky Labs , assuaging fears that users鈥 accounts had been irrevocably compromised.
Whether or not Facebook is a responsible steward of the literal terabytes of data they have on each of its over two billion users . But as far as this security breach is concerned: your account is likely fine.
Here鈥檚 what Kaspersky had to say:
What you need to do about the recent Facebook security breach:
- Nothing.
What you don鈥檛 need to do about the recent Facebook security breach:
- Don鈥檛 rush to change your password. Passwords were not affected during the breach, so they鈥檙e as safe as you鈥檝e made them.
- Don鈥檛 panic. Even if you find yourself logged out of Facebook for some reason, Facebook says there鈥檚 no need to worry; it will have already reset the authentication token for you so that nobody but you can gain access to your account. You鈥檒l need to log in again by entering your password and 2FA (that is, Two-Factor Authentication) code (if you have enabled it), but that鈥檚 all.
- Don鈥檛 delete your Facebook account. Well, of course you can always do that, but this breach is not a reason to be quite that worried.
Here鈥檚 what happened:
An access token is, as Facebook describes it, basically a key to your account. If a person has it, Facebook considers that person authorized to enter that account and doesn鈥檛 request login, password, and 2FA codes. So, having stolen 50,000,000 user access tokens, the malefactors could potentially access those 50,000,000 accounts. But that doesn鈥檛 mean they got access to your passwords or somehow broke the two-factor authentication mechanism. Your password is secure and 2FA is still working as intended. But stealing a token is a way to bypass those defenses.
Facebook explains that investigation of the incident is in the very early stages, but for now they suspect that somebody found a vulnerability in their 鈥淰iew as鈥 feature and exploited it, gaining access to 50 million account tokens. That鈥檚 why they have turned the feature off, reset the user authentication tokens for those accounts, and are in the process of resetting those tokens for another 40 million users who have used this feature in the past year. The last part seems like just a precaution, but at the moment, they can hardly be too careful.
When the token is reset, the person who has it can no longer access the account and will need to log in again. The malefactors don鈥檛 have your login or password, so even if you were affected initially, they can no longer pretend to be you and access the account.
Facebook promises to update the post once it鈥檚 clear what exactly happened and whether any of the affected accounts were somehow misused, but for now we suggest doing what we described in the beginning of the post: nothing.
