clock menu more-arrow no yes

Filed under:

FAQ: The Latest Bad News Afflicting Facebook

Fifty-million users have been affected by the latest breach. Here’s how to know if you’re one of them and how the hack occurred.

A hooded figure using a laptop, with Facebook logos in the background Getty Images/Ringer illustration

Friday, Facebook announced it was subject to a major security hack that affected nearly 50 million accounts. While the company is still investigating the hack, which it discovered Tuesday, it is taking the breach “incredibly seriously,” wrote Facebook VP of product management Guy Rosen in a company blog post. The breach impacted the service’s “View As” tool, he wrote.

This security failure is only the latest in a seemingly endless stream of bad news for Facebook. Monday, Instagram cofounders Kevin Systrom and Mike Krieger announced that they are leaving the photo-sharing app, which Facebook acquired in 2012 for $1 billion. In recent years, Facebook has been relying heavily on Instagram, which, unlike its parent platform, remains relatively scandal-free. Another Facebook acquisition, WhatsApp, suffered from its own conflicts with Facebook: The messaging app’s cofounder Brian Acton, has said disagreements over privacy forced him to walk away. And of course, there’s been sustained criticism over Facebook’s inability to combat the spread of misinformation and conspiracy theories, as well as its inability to protect user privacy and security.

Facebook’s big problems are complicated. Here’s an FAQ to help you better understand the latest hack.

What caused this?

A vulnerability in the code for the View As tool led to the security lapse.

What is that?

As a result of the breach, View As is not currently available. A user clicking on the “...” button on the bottom right of their own cover image reveals a View As option, which allowed a user to see what their profile would look like to someone else, i.e., a friend or coworker. That button, which still appears, now leads to an error message. Facebook has touted the feature as a way to make sure user privacy settings are working as intended: for instance, a user could ensure that they were successfully to limiting who on their friend list or outside that circle (e.g. students or colleagues) could view their photos or posts.

How did it cause a hack?

Facebook issued an update to a video uploading tool (apparently used for happy birthday videos). This update created a vulnerability to the View As code, which then revealed “access tokens.” Access tokens, according to the social network, are “digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.” Through those tokens, hackers were able to log in to affected users’ accounts and take them over. “It’s important to say—the attackers could use the account as if they are the account holder,” Rosen told BuzzFeed News.

When did this happen?

There are five important dates: July 2017; September 16, 2018; September 25, 2018; September 27, 2018; and September 28, 2018. According to Facebook, a September 16 spike in traffic signaled that something was wrong, but the company officially discovered the hack Tuesday, September 25. The company developers fixed the code the night of September 27. The hack was announced September 28. The vulnerability was introduced into the code during the summer of 2017. “This attack exploited the complex interaction of multiple issues in our code,” Rosen wrote. “It stemmed from a change we made to our video uploading feature in July 2017.” Facebook did not say if this is when hackers began taking advantage of the security lapse.

Who are the hackers?

The investigation only just began, and Facebook doesn’t know who the attackers are, Rosen wrote.

How is Facebook fixing this?

First, the company patched the vulnerability in its code. Then, all of the 50 million accounts affected were logged out, and users were prompted to log back in. Facebook also reset its access tokens, so hackers that can no longer get into users’ accounts. Facebook also said it issued a notice to these affected accounts to explain what happened; here’s what that looks like:

Facebook also reset access tokens for an additional 40 million accounts “that have been subject to a ‘view as’ look-up in the last year.” These users have also been logged out and will be notified upon logging back in. In total, Facebook reset the access tokens for 90 million accounts. (As of the second quarter of 2018, the company reported having 2.23 billion monthly active users.) Facebook says it will continue to reset access tokens of affected users if it finds more that have been compromised.

What does it mean if I’ve been logged out?

If a user goes to Facebook via app or desktop and is logged out without having previously signed out themselves, it means either that the account was logged into by a hacker or that, within the last year, someone on Facebook used View As to view their own profile as if they were this user who was logged out.

Those seem like pretty different scenarios …

Yes! One means that a person’s Facebook account was hacked and taken over by someone, and the other means that another user on Facebook used the View As feature as intended. Facebook’s blog post and reports of what the notification looks like suggest there is only one message and it does not specify if people are one of the 50 million hacked users or the 40 million whose profiles were subjected to a View As request, but The Ringer has reached out to Facebook for clarification on this. There are also some reports from users who say they were automatically logged out Friday. Upon logging back in, they did not receive any notification about why. In a press call this afternoon, a Facebook representative said that the social network has begun logging people out and that not while not all of the notification messages have been sent out yet, they will eventually hit affected users’ accounts. When asked why Facebook was not emailing those affected and only placing the notification at the top of their News Feeds upon login, the company said this was the most efficient way to inform users.