Facebook hack affects 30 million user accounts

Facebook revealed it had discovered a security issue affecting millions of accounts on 25 September 2018. The attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets users see what their own profile looks like to someone else. When composing a birthday wish message with video, as of July 2017, the attacker could exploit the ‘View as’ option of the video uploader to get access to the profile of the user being looked up, including their login details. The access token was then available in the HTML of the page and extracted by the attackers who exploited it to login as another user. Facebook reset the access tokens of almost 50 million accounts thought to be affected, and temporarily disabled the ‘View As’ feature. On 12 October, Facebook announced hackers actually stole access tokens of about 30 million users, 20 million less than previously thought. For 15 million users, attackers accessed name and contact details (phone number, email, or both). For 14 million users, the attackers accessed name and contact details, as well as other details people had on their profiles, including username, gender, religion, birth date, etc. For 1 million users, the attackers did not access any information.