This is a developing story. Please refresh this page for updates.
MANILA, Philippines – Facebook on early Saturday morning, September 29 (September 28, US time), explained why people got logged out of their Facebook accounts. They were implementing a fix to a security breach that allowed hackers to exploit a bug in the platform's "view as" feature.
"View as" is a feature that lets people see what their own profile looks like to someone else.
In a blog post, Guy Rosen, Facebook Vice President of Product Management, said their engineering team discovered the breach on the afternoon of Tuesday, September 25. He added that it affected almost 50 million accounts.
Rosen explained that the breach allowed the attackers to steal Facebook access tokens which they could then use to take over people’s accounts.
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."
Facebook CEO Mark Zuckerberg, in a post on the social network, said, "an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people's accounts on Facebook."
{source}<iframe src="https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fzuck%2Fposts%2F10105274505136221&width=500" width="500" height="299" style="border:none;overflow:hidden" scrolling="no" frameborder="0" allowTransparency="true" allow="encrypted-media"></iframe>{/source}
Rosen said they've fixed the vulnerability and informed law enforcement.
The company also reset the access tokens of almost 50 million accounts and an additional 40 million accounts subjected to a "View As" look-up in the last year.
"As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened," Rosen said."
Facebook is also turning off the View As feature until a security review is completed.
Facebook added it has "yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based."
The company has said it will reset other accounts as needed that they find were affected.
While Facebook has said users do not need to reset their password information, you may still want to do a security review of your password information on Facebook, as well as check in case anything has been changed on your account.
If you are among those who were forced to log out, it may also still be prudent to change your password. – Rappler.com