Yes you read it right. Facebook has once again been a victim of weak security practices. As a result Facebook suffered a massive security breach this time with more than 50 million compromised accounts.
This time the hackers exploited a vulnerability in Facebook’s code that allowed them to steal Facebook access tokens.
This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the like the unique digital keys. They keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app. When someone connects with an app using Facebook Login and approves the request for permissions, the app obtains an access token that provides temporary, secure access to Facebook APIs.
Other websites like uber , pintrest and leading mobile apps and shopping websites also use these access tokens for cross-authentication purposes. This means a Facebook user would be able to sign up and log in to other apps and sites with their Facebook passwords.
This feature is what leads to the maximum concern with respect to this attack. The impact of the attack might get cascaded to the third part websites/apps riding over the access token feature of Facebook. If the speculations turn true then the impact of this breach may become magnified far more beyond 50 Million as those stolen credentials could have been used to gain access to so many other sites.
Facebook reconfirmed with a blog-post that they have fixed the vulnerability and we reset the access tokens for a total of 90 million accounts. 50 million that had access tokens stolen and 40 million that were subject to a “View As” look-up in the last year. Resetting the access tokens protected the security of people’s accounts and meant they had to log back in to Facebook or any of their apps that use Facebook Login.