A massive data breach has impacted 50 million people’s Facebook accounts, Sci&Tech Editor Will Nunn reports

Written by Will Nunn

An unusual spike in Facebook user activity on the 16th of September has triggered an investigation which subsequently uncovered one of the largest hacks in the site’s history. On the 25th, it was revealed that around 50 million accounts were impacted. These users were logged out by the site along with an additional 40 million at risk users.

50 million accounts were impacted

The attack came in the wake of a Taiwanese hacker threatening to delete site founder Mark Zuckerberg’s own account, but it is unknown whether they were connected. The identity of the culprit is yet to be found.

The hack utilised two bugs in the Facebook system in tandem to gain control of any profile. Facebook profiles include a “View As” function which allows users to view their own profile as it would be seen by another user of their choice. A bug resulted in the video upload tool appearing within user pages generated by view as. When clicked, the video upload function generates an “access token”, allowing the account to remain signed in on the device used. The hackers were able to use the upload function within the “View As” page to trigger access tokens for any user of their choice, gaining control of their account.

Logging at risk users out resets their access tokens, meaning hackers would need to repeat the process to gain access into those accounts again. Facebook has also removed the “View As” function at the time of writing. A sophisticated understanding of the way the site works would have been required to notice this kind of weakness.

This all comes during one of the most challenging years in the site’s history, and adds to mounting concerns for user privacy. Back in March, it was revealed that Cambridge Analytica had used the personal data of millions of users without consent to individually tailor political advertisements on behalf of right wing political groups in both America and the UK.

If you are concerned your own account may have been compromised the usual advice applies. Make sure to use a strong password, check your account settings and make sure you recognise all of the devices signed into your account, disable “keep me logged in” functions or auto-login and set up two-factor authentication to maximise the security of your account.