Hackers attack Facebook, 50 million accounts affected

According toVerge, a security flaw that allowed hackers to access users' Facebook accounts by collecting their security tokens. The flaw affected 50 million people, and Facebook said it was forced to force 90 million user accounts to completely log back in today to be safe. About 40 million people were still at risk, so the company included them in this list.

According to a Facebook representative, the problem has been temporarily fixed and the company has also notified law enforcement agencies in the US. This is not a normal random technical error, but engineers discovered traces of a targeted exploit and used by some organizations or third-party hackers. The company first became aware of the problem on September 25, but Guy Rosen, Facebook's vice president of product management, said it was unclear whether any accounts were actually compromised.

This is also the reason why many Facebook users in the country as well as around the world were kicked out of Facebook and Messenger yesterday afternoon. On September 28, many members shared on Facebook the unpleasant feeling of being "forced" to log out of their accounts while browsing information or chatting with friends. "It seems like something 'happened' today that Vietnamese Facebook accounts were forced to log out en masse," one user wondered.

"On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would have allowed them to log into about 50 million people's accounts on Facebook," CEO Mark Zuckerberg wrote in a post on his personal page. "We don't yet know if these accounts were compromised, but we're continuing to look into it and will update as soon as we have more information."

The vulnerability stems from Facebook’s View As feature. Normally, it allows account owners to see which person or group of people can see what content on their personal page. However, the vulnerability turns this feature into a tool for hackers to log into users’ accounts through a digital key string (token) without having to use a password.

In addition to forcing 90 million people to log in again, Facebook said it would temporarily disable the View As feature until the security review is complete. Facebook has not specifically warned users about having to change their passwords.

After the scandal of leaking and selling information of 87 million users earlier this year, this could be the second big trouble to come to Facebook in 2018. The above incident happened just a month after the company's former Chief Security Officer (CSO), Alex Stamos, left the company. Facebook then said that it was not in a hurry to hire a new CSO but would restructure its security department first.