Skip to main content

Facebook hacker stole login information for 50 million accounts

Facebook hacker stole login information for 50 million accounts


Around 90 million users now have to log back into their accounts to be safe

Share this story

Illustration by Alex Castro / The Verge

This morning, Facebook disclosed a widespread security flaw that could have allowed hackers or other malicious third parties to access an affected user’s account by gleaning their security token. The flaw affected as many as 50 million people, and Facebook says it’s forcibly making around 90 million users log back into their accounts in full today to be safe. The company says that’s because in addition to the impacted accounts, around 40 million additional people simply used the exploitable feature since the exploit was active starting in July of 2017.

It also says it’s fixed the issue and alerted law enforcement, indicating that this is not an engineering mistake, but a purposeful exploit discovered and used by some third-party organization or hacker. The company says its engineering team was made aware of the issue on September 25th, but Guy Rosen, Facebook’s vice president of product management, says it’s not clear whether accounts were compromised, when the issue was exploited, or who might have been behind the attack.

An attacker exploited Facebook’s View As feature to glean user security tokens

“On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook,” wrote CEO Mark Zuckerberg in a post to his personal Facebook page. “We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.”

The flaw could have let someone exploit the “View As” feature, which lets you view your own profile as it appears to another user or to the public, as a way of evaluating your specific sharing settings. However, it appears that the feature inadvertently exposed Facebook security tokens when someone selected a profile as the desired View As target. That would let someone gain access to the person’s account. Facebook access tokens are the digital keys that allow mobile users to log in to their accounts without having to retype their passwords.

With full access to a user’s account, the attackers could have used any third-party app that was logged in via Facebook, the company said late Friday.

In addition to making 90 million users log back in today, Facebook said it’s also disabling the View As feature “while it conducts a thorough security review.” The company gives a bit of technical analysis about how the exploit worked, but there still aren’t a lot of concrete details here:

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

On a call with reporters following the announcement, Facebook said that the “video uploading feature” in July of last year related to a tool that allowed users to upload birthday videos in a way that would allow the View As feature to expose secure information, but only when interacting with two other bugs. The company also confirmed that no credit card info was exposed.

News of this security exploit comes just hours after a prominent Taiwanese hacker by the name of Chang Chi-yuan pledged to delete Zuckerberg’s personal page on Sunday as a way to demonstrate some type of security flaw in Facebook, Chang’s proficiency as a hacker, or both. It was not immediately clear whether the issue affecting Facebook’s View As feature is the one Chang intended to exploit, but the timing had some suspecting they could be related.

Facebook said on the call with reporters today that the View As exploit does not have anything to do with Chang’s stunt, which he reportedly planned to stream on Facebook Live. Later on in the day, Chang backed down from his pledge, writing on his personal page that he “reported the bug to Facebook and I will show proof when I get bounty.”

A more pressing concern for Facebook is the absence of a chief security officer, after former CSO Alex Stamos left the company last month. Following Stamos’ departure, Facebook said it would not be filling the CSO role and would instead restructure its security organization and embed specialists through its many divisions. A Facebook spokesperson said at the time that the company would “continue to evaluate what kind of structure works best” to protect users’ security.

Following widespread news coverage of the exploit, Facebook users began reporting that the social network was blocking news links regarding the hack from The Associated Press and The Guardian, leading more cynical critics of the company to assume it was purposefully suppressing negative news about itself on its own platform.

Facebook later confirmed to The Verge that the stories were being shared so frequently that they tripped the company’s internal spam detection tools. “We fixed the issue as soon as we were made aware of it, and people should be able to share both articles,” the company said. “We apologize for the inconvenience.”

Update 9/28, 6:22PM ET. Added comment from Facebook about blocking news links.

Update 9/28, 5:22PM ET: Added information from a second call with reporters.

Update 9/28, 1:35PM ET: Added information from Facebook’s call with reporters this afternoon.

Update 9/28, 4:41PM ET: Added information about Facebook’s internal spam detection tools tripping over fast-spreading Guardian and AP links, as well as an update on Chang Chi-yuan backing down from his pledge to hack Zuckerberg’s page.

Today’s Storystream

Feed refreshed 37 minutes ago Midjourneys

External Link
Russell Brandom37 minutes ago
Oracle will pay $23 million to settle foreign bribery charges.

The SEC alleges that Oracle used a slush fund to bribe officials in India, Turkey and the United Arab Emirates. This behavior is sadly common among software companies doing business overseas, and it’s not unique to Oracle. In March, a former Microsoft executive claimed the company spent as much as $200 million a year in bribes for foreign officials.

External Link
Emma Roth3:16 PM UTC
Celsius’ CEO is out.

Alex Mashinsky, the head of the bankrupt crypto lending firm Celsius, announced his resignation today, but not after patting himself on the back for working “tirelessly to help the company.”

In Mashinsky’s eyes, I guess that means designing “Unbankrupt yourself” t-shirts on Cafepress and then selling them to a user base that just had their funds vaporized.

At least customers of the embattled Voyager Digital crypto firm are in slightly better shape, as the Sam Bankman-Fried-owned FTX just bought out the company’s assets.

Mary Beth Griggs2:46 PM UTC
NASA’s SLS rocket is secure as Hurricane Ian barrels towards Florida.

The rocket — and the Orion spacecraft on top — are now back inside the massive Vehicle Assembly Building. Facing menacing forecasts, NASA decided to roll it away from the launchpad yesterday.

External Link
Andrew J. Hawkins1:30 PM UTC
Harley-Davidson’s electric motorcycle brand is about to go public via SPAC

LiveWire has completed its merger with a blank-check company and will make its debut on the New York Stock Exchange today. Harley-Davison CEO Jochen Zeitz called it “a proud and exciting milestone for LiveWire towards its ambition to become the most desirable electric motorcycle brand in the world.” Hopefully it also manages to avoid the cash crunch of other EV SPACs, like Canoo, Arrival, Faraday Future, and Lordstown.

The Verge
Andrew Webster1:06 PM UTC
“There’s an endless array of drama going on surrounding Twitch right now.”

That’s Ryan Morrison, CEO of Evolved Talent Agency, which represents some of the biggest streamers around. And he’s right — as you can read in this investigation from my colleague Ash Parrish, who looked into just what’s going on with Amazon’s livestreaming service.

The Verge
Richard Lawler12:59 PM UTC
Green light.

NASA’s spacecraft crashed, and everyone is very happy about it.

Otherwise, Mitchell Clark is kicking off the day with a deeper look at Dish Network’s definitely-real 5G wireless service , and Walmart’s metaverse vision in Roblox is not looking good at all.

External Link
Jess Weatherbed11:49 AM UTC
Won’t anyone think of the billionaires?

Forbes reports that rising inflation and falling stock prices have collectively cost members of the Forbes 400 US rich list $500 billion in 2022 with tech tycoons suffering the biggest losses.

Jeff Bezos (worth $151 billion) lost $50 billion, Google’s Larry Page and Sergey Brin (worth a collective $182b) lost almost $60b, Mark Zuckerberg (worth $57.7b) lost $76.8b, and Twitter co-founder Jack Dorsey (worth $4.5b) lost $10.4b. Former Microsoft CEO Steve Ballmer (worth $83b) lost $13.5b while his ex-boss Bill Gates (worth $106b) lost $28b, albeit $20b of that via charity donations.

Thomas Ricker6:45 AM UTC
Check out this delightful DART Easter egg.

Just Google for “NASA DART.” You’re welcome.