Facebook Resetting Access Tokens for 90M Users After Breach

Facebook reveals that somehow attackers were able to breach its systems and obtain user access tokens for at least 50 million accounts, triggering a reset involving at least 90 million user accounts.

Facebook Data Sharing Probe

This continues to be a challenging year for Facebook. 

On Sept. 28, the company publicly admitted that it was the victim of a data breach that impacted approximately 50 million user accounts. Out of an abundance of caution, Facebook is resetting the access tokens for a total of 90 million user accounts. The breach was apparently discovered in the afternoon on Sept. 25 and was quickly remediated.

"Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted 'View As', a feature that lets people see what their own profile looks like to someone else," Guy Rosen, vice president of product management at Facebook, wrote in an advisory. "This allowed them to steal Facebook access tokens which they could then use to take over people's accounts."

An access token is not the same as the username and password combination that Facebook users need to log into the social networking service. Rather, once a user logs into Facebook with their credentials, the site assigns an access token, which keeps the user logged in. It is those access tokens that were accessed in the data breach.

Facebook has now reset 90 million user access tokens, meaning those users have been logged out of the system and will need to log back in. Rosen noted that there is no need for users to change their existing password.

View As

Facebook has shut off the "View As" feature as it conducts a review of how the attack occurred. Rosen said that at this early stage it appears that a change made in July 2017 to the video uploading feature in Facebook somehow impacted the View As functionality.

Facebook has not yet publicly stated how long attackers may have been able to access user tokens and if they have been at risk the entire time since the July 2017 change.

"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," Rosen wrote. "We also don’t know who’s behind these attacks or where they’re based."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.