While the nation was still focused on an emotionally turbulent Supreme Court hearing last week, Facebook officials revealed Friday that hackers had gained access to almost 50 million users’ profile info, in the site’s largest security breach to date.
However, unlike the many user data controversies that plagued Facebook earlier this year, the hack barely made a dent in the news cycle. What’s more, we still don’t know exactly who was affected, whether or how their data was abused, or even what Facebook is doing to prevent another breach like this from happening again.
“This is a really serious security issue. And we’re taking it really seriously,” said CEO Mark Zuckerberg in a conference callwith journalists Friday. “We have a major security effort at the company that hardens all of our surfaces, and investigates issues like this. In this case I’m glad that we found this and that we were able to fix the vulnerability and secure the accounts. But it definitely is an issue that this happened in the first place.”
During the press call, Facebook officials said the hackers exploited a series of bugs related to “access tokens” (the thing that keeps you logged into Facebook on your phone and computer without re-entering your password every time), to view profile data and take control of people’s accounts. This means the hackers would have been able to see basic info like your name, gender, hometown, etc., but (probably) not your secure data, like credit cards or bank info.
However, officials also said they don’t know exactly what this means for the users affected.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based,” Facebook VP of Product Management Guy Rosen wrote in a blog postFriday.
Even more alarming, reportingpublishedin the days afterthe announcement showed that the access tokens could also be used to infiltrate third-party accounts that are linked to a user’s Facebook. This means that any victims who use their Facebook account to log in to Spotify, Tinder, or any number of other apps could be at an even greater risk.
As a safety measure, Facebook renewed the access tokens for the 50 million hacked users, and 40 million extra users who may have recently interacted with the bug…”out of an abundance of caution.”
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” Rosen wrote.
In other words, if you’ve been asked to re-log in to Facebook on a trusted device in the last few days, or have seen one of the security messages pictured above, your account may have been affected by the breach.
“This is a very strange hack in that it didn’t happen because of errors on the user’s part,” said Nicholas Thompson, the editor-in-chief of Wired Magazine, in an appearance on CBS ‘This Morning.’ “In fact, this is the first hack I’ve ever talked about where I can’t say ‘Change your password,’ because they couldn’t see your password.”
When asked what victims of the hack can do to protect themselves now, Thompson said simply, “There’s nothing you can do right now, the horse has left the barn.”
However, he continued, “What you should do in general is you should change your passwords, you should use two-factor authentication, you should have really important information about yourself — like bank information, emails about stuff you care about — in as few places as possible.”
As for Facebook’s plan to prevent this kind of hack from happening again in the future, Zuckerberg and other officials have been strategically ambiguous. The Social Network was reportedly already in the process of hiring at least 10,000 “people working on safety and security” this year, although it’s unclear who these people will be and how they will help solve Facebook’s many security problems.
Much more information is likely to surface this week as Facebook learns more about the breach and the people behind it.