This Friday the Guardian reported that nearly 50 million users’ accounts were compromised. According to Facebook the breach was discovered on September 25th and patched two days later. However, the vulnerability allowed hackers to gain sensitive information about users’ accounts, such as photos, private conversations, and the ability to log into any other apps using Facebook login.
How did the hack work?
The breach was made possible by exploiting the “View As” feature, which allows users to see how their profile looks to strangers. The exploit revolved around stealing a user’s security token through the “View As” vulnerability.
By gaining access to one’s security token a hacker can login to the victim’s account and fully control it. While the hacker might not have access to the account’s password, he is able to see all photos, read any conversations one might have had via the Facebook messenger, and also login to any apps which used Facebook login.
Facebook said it has no leads as to who might be responsible for the hack. However, talking to WSJ reporter Dustin Volz, they did mention that the hack was complex and leveraged multiple bugs.
I asked Facebook how sophisticated the hackers were and whether this could be nation-state activity. Rosen says attack was "complex" and leveraged three multiple bugs that interacted together. "We may never know" the identity of the hackers, Rosen adds.
— Dustin Volz (@dnvolz) September 28, 2018
To prevent any further issues, Facebook did reset the security tokens of roughly 90 million users. These users have to all login to their accounts once again on all their devices.
We may not know the true impact of the recent Facebook hack until months later. We do not know whether or not the hackers archived private information of millions of users, and whether or not this data will surface on the darknet.
According to research by MoneyGuru, Facebook logins are already being sold on the darkweb for roughly $4. Twitter logins are being sold for roughly $3, and Instagram accounts go for around $6.
The good news is, this time hackers did not gain access to users’ passwords so account logins from the recent hack will most likely not be leaked. However, other sensitive data was compromised such as photos and private conversations, both of which could end up being sold.