50 million Facebook accounts breached by access-token-harvesting attack

by
Sean Gallagher
from Ars Technica - All content on (#3ZRJD)
GettyImages-962419074-800x533.jpg

Enlarge / Facebook reset login tokens for 90 million accounts as it patched bugs that allowed 50 million accounts to be compromised. (credit: Jaap Arriens/NurPhoto via Getty Images)

Facebook reset logins for millions of customers last night as it dealt with a data breach that may have exposed nearly 50 million accounts. The breach was caused by an exploit of three bugs in Facebook's code that were introduced with the addition of a new video uploader in July of 2017. Facebook patched the vulnerabilities on Thursday, and it revoked access tokens for a total of 90 million users

In a call with press today, Facebook CEO Mark Zuckerberg said that the attack targeted the "view as" feature, "code that allowed people to see what other people were seeing when they viewed their profile," Zuckerberg said. The attackers were able to use this feature, combined with the video uploader feature, to harvest access tokens.

"The attackers did try to query our APIs-but we do not yet know if any private information was exposed," Zuckerberg said. The attackers used the profile retrieval API, which provides access to the information presented in a user's profile page, but there's no evidence yet that Facebook messages or other private data was viewed. No credit card data or other information was exposed, according to Facebook.

Read 5 remaining paragraphs | Comments

index?i=-V-HgRxfbJI:jFO0SZte9JQ:V_sGLiPB index?i=-V-HgRxfbJI:jFO0SZte9JQ:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments