But this time they got leaked unintentionally.
Last time Facebook was in hot water was the Cambridge Analytica along with Facebook that sold or leaked its users private information allegedly used for campaign sortees and strategies of election candidates. This was caused internally and it was a huge setback for the social media giant. But wait it appears to be happening again, and this time we got a clear number of how many accounts were compromised. How many? 50 Million Confirmed accounts were taken advantage of hackers during the breach. You heard it right, hackers did it and not any insider. But how? In a statement coming from Facebook themselves that indeed it was an unknown hacker group that exploited their zero day vulnerability that allowed the perpetrators to steal 50 million access tokens. Access tokens are supposed to be secret and they function as keeping sessions on browsers and devices, by stealing these secret access tokens the hackers managed to steal account credentials.
As mentioned it Facebook’s own zero day vulnerability which the hackers exploited. In short it was a code within the Facebook platform which is at fault by being not secure enough. The technical details has yet to be released by the social media giant, and the good news is the vulnerability has already been patched.
The exploit has been discovered by Facebook’s security team last 25th of September, the investigation is still on going as of the moment.
It is said that the View As tool served as the exploit to steal the secret access tokens of the the compromised account.
Facebook of course did secure the accounts of their affected users by logging them out automatically. In case you are wondering why you were logged out automatically for the past few days, then you are not alone. 50 Million Confirmed compromised accounts and another 40 Million accounts were forcibly logged out to ensure account security, which makes it a total of 90 Million accounts secured.
Facebook already notified the authorities regarding this incident. They are still yet to determine whether the affected accounts were misused or not, since the investigation is still at its early stages.