Last Friday, Facebook announced that it had been hacked and that at least 50m of its accounts had been compromised, due to a vulnerability which allowed attackers to steal automated log-in credentials.
The automated log-in credentials, otherwise referred to as ‘tokens’, allow people to log into popular apps without having to input their password each time. A token is made up of a unique string of letters and numbers, and its purpose is to ease and quicken the process of logging into social media.
The vulnerability had been present since July 2017 and was only discovered last month, once Facebook engineers noticed odd login activity taking place.
Although tokens make the users’ experience a convenient one, a log-in shortcut is risky. In this case, hacking a popular app such as Facebook puts thousands of third-party apps and websites at risk – seeing as so many users are accustomed to logging into various platforms (such as Pinterest or Spotify) by means of their Facebook credentials.
Dana Simberkoff, chief risk, privacy, and information security officer for the enterprise security firm AvePoint, says: “You should not use one app to log into another, because when one of those systems is compromised, everything else you interact with can be as well.”
As a result, Facebook disabled the faulty feature on its site as well as changed the tokens for 90 million users and logged them out. The new token would be generated once the users log back in. This would prevent any further damage, but could not retrieve any stolen data or fix what had already taken place.
The attackers and their scope are still unknown, as well as what information they had stolen. Users’ data, including their private messages, may have been accessed.
Similar attacks on other apps have taken place in the past – such as on dating app Ashley Madison, where private information had been shared, resulting in chaos and tragedy. However, this is the largest security breach in Facebook’s history.