Did You Get Logged Out of Facebook? It’s Because 50 Million People Got Hacked

The bad news for Facebook’s users just won’t end. Today Facebook had to admit that the accounts for 50 million people were somehow accessed by hackers abusing a little-known feature.

The “View As” feature gives you the ability to see what your profile looks like to somebody else—so you can check to see whether your privacy settings are being correctly applied, for example.

Hackers were able to abuse a security hole in this feature to steal access tokens to take over people’s accounts—basically, the login cookies that keep you logged in. This is not unlike the session hijacking attacks that were starting to be prevalent a number of years ago by people sniffing network traffic at hotspots. It’s one of the reasons you’d always want to use a VPN, and why the web has been switching to HTTPS. Except, in this case, the bug was in Facebook’s code so nothing could protect you.

Advertisement

The problem appeared to be in a video uploader for sending messages, which shouldn’t have shown on the View As page, but it did. Once that video uploader was opened, the bug would then essentially log the hacker in as the account that the profile was being viewed as. So they could then harvest everybody’s friends list, exploiting the bug to login as every single friend of a friend until 6 degrees of Kevin Bacon later, they had accessed 50 million accounts.

What You Need to Know

Update: We now know that it’s very likely other applications using Facebook login were affected, and hackers could have accessed stuff like Instagram, Tinder, Spotify, or any number of other things.

Details on this debacle are very thin at this point, but here are the things that we do know:

Facebook has completely disabled the View As feature while they investigate how it all happened, how much data was lost, and how they can solve the problem going forward.

Advertisement

This data breach, combined with the recent news that Facebook is collecting shadow profiles and using your email address to target ads, is going to ramp up calls for GDPR-style regulation over these internet giants. As well it should.

RELATED: Facebook is Using Your Phone Number to Target Ads and You Can't Stop It

The Best Tech Newsletter Anywhere

Join 425,000 subscribers and get a daily digest of features, articles, news, and trivia.

We've got your info - thanks for signing up!
We were unable to subscribe you! Please check your e-mail address or contact us for assistance.
Signing you up...

By submitting your email, you agree to the Terms of Use and Privacy Policy.

Lowell Heddings
Lowell is the founder and CEO of How-To Geek. He’s been running the show since creating the site back in 2006. Over the last decade, Lowell has personally written more than 1000 articles which have been viewed by over 250 million people. Prior to starting How-To Geek, Lowell spent 15 years working in IT doing consulting, cybersecurity, database management, and programming work. Read Full Bio »