Facebook has been hacked, and at least 50 million accounts have been impacted, the firm announced today in a blog post titled “Security Update.”
As a result, 90 millions users were logged out of their accounts and forced to sign in again, the firm said.
Criminals were able to “steal” tokens that allow consumers to access their accounts without repeatedly logging in, Facebook said. This allowed the criminals to pose as Facebook users and hijack their accounts. The firm doesn’t know how many consumers’ accounts were actually infiltrated.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” the blog post said. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details.”
Facebook said criminals used the social media site’s “View As” feature to steal tokens, and then “pivot” from hijacked accounts to access more login tokens.
The tactic sounds similar to so-called cookie-minting attacks made famous in the hack of Yahoo (subject of my podcast, Breach), but it’s unclear what Facebook means by pivot. With cookie minting, criminals are able to fashion tokens at will and trick a website into assuming a computer is already logged in to targeted accounts.
Facebook said the hack exploited “complex interaction of multiple issues in our code.”
The firm said consumers had no need to change their passwords; resetting the tokens kicked out the criminals, and consumers need only log into their accounts again.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” the firm said.
This is a breaking news story. When more details become available I will post them here.