Facebook Discovers Security Issue Affecting Almost 50 Million Accounts
Oct 02 2018
A class-action lawsuit has been proposed in Canada against Facebook following a security breach that put the accounts of tens of millions of users at risk. It adds to the social network's mounting woes in its largest market. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens. In India, Facebook's single sign-on feature allows users to log into third party apps such as Swiggy, Zomato, BigBasket, Hotstar, Tinder, Nykaa, SonyLIV, RentoMojo, FreshMenu, Chai Point, Quora, Snapchat, HealthifyMe, and Dominos, among others, without creating a unique profile for each one.
The lawsuit was filed by two of the social network's users, Carla Echavarria of California, and Derrick Walker of Virginia. It is not yet known how many Canadian users were affected.
Facebook has suffered two data breaches in recent memory, including the Cambridge Analytica scandal, in which some 87 million accounts were compromised. It is unclear if the hackers actually accessed such data at the moment. Facebook India declined comment, directing queries to its global office.
Facebook and sites like Google, Twitter and Tumblr are also accused of having allowed the spread through their networks of "fake news", including to manipulate public opinion ahead of the USA election in favour of Trump.
Facebook also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the previous year.
"I'm glad we found this and fixed the vulnerability".
"We can not say with absolute surety what went wrong until Facebook shares more information", said Prakash.
This enabled them to steal access tokens which they could then use to take over people's accounts, the social media giant said.
The hackers were able to exploit this vulnerability to gain access to the security tokens.
While Facebook says that it has already taken steps to fix the bug, there are many questions that are coming to the minds of the users today.
In a statement to CNN on Monday, Tinder said it has done "a full forensic investigation" since Facebook's "limited" disclosure and has found "no evidence to suggest accounts have been accessed". "There is a potential risk of a second tier leak..."
Ireland's Data Protection Commission, which is Facebook's lead privacy regulator in Europe, said Saturday that it has demanded more information from the company about the nature and scale of the breach, including which European Union residents might be affected. You can also try deactivating your account for some time, as reactivating it will also grant new access tokens, while old tokens will automatically expire. The company began notifying affected users this morning with a message on its website and mobile app, and it's been holding a series of calls with reporters throughout the day to brief them on technical details and other information as it arises.