SAN FRANCISCO — The security issue Facebook announced on Friday has alarmed researchers who say attackers collected information that not only gave access to sensitive information on Facebook, but also could be used to access many websites that use the social network's "Login with Facebook" function.
Facebook revealed that unnamed attackers were able to exploit a series of flaws to collect “access tokens” for 50 million accounts. Those tokens, Facebook said, would allow attackers to take over profiles and theoretically access any information therein. It has not announced how many of those 50 million accounts were accessed or what if any information was taken since the account tokens were first exposed 14 months ago.
But security researchers are warning users to be on alert for suspicious activity — on and off Facebook.
The tokens could have been used to create or access accounts with companies that use Facebook’s “Login with Facebook” function, which allows people to sign up for various websites and services with their Facebook profiles.
Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago, said Facebook users should check their connected apps for any accounts they had not signed up for.
- Go to Facebook and click on the arrow in the top right.
- Click on “Settings” and then on “Apps and Websites.”
- These are the companies with which your account has been logged in using your Facebook account. If you see any companies you do not recognize, you should report them to Facebook.
- For companies you did use Facebook’s single sign-on, go to those accounts to see if anything has changed or there was any recent suspicious activity.
- Keep an eye out for any suspicious activity such as emails from companies that you have not signed up for.
Polakis, who recently helped author a paper on the security risks of single sign-on systems, said users do not necessarily need to change their Facebook passwords. He also noted that deleting Facebook profiles will not affect any accounts on other websites that had already been created or accessed using the tokens. Facebook has invalidated the tokens, meaning no new accounts can be created.
He warned that these steps do not ensure that attackers have not been able to set up accounts, nor does it address the possibility that sensitive information was taken directly from Facebook accounts. He also noted that even users who have never used “Login with Facebook” could have had their tokens used to create accounts.
He advised users to log out of those accounts and terminate all active sessions, is possible.
“There's not much you can do from there apart from looking at your accounts on all those websites to see if something suspicious is going on,” Polakis said.
Damon McCoy, assistant professor of computer science and engineering at New York University, also advised that users check their “Security and Login” settings in Facebook.
- Go to Facebook and click on the arrow in the top right.
- Click on “Settings” and then “Security and Login.”
- Check “Where you’re logged in” for suspicious sessions. If you see any, click the dots beside the session and then click “Not You?” to report it to Facebook.
- While there, you can get notifications if someone tries to access your Facebook profile in the section titled “Setting Up Extra Security.”
Facebook has endured a variety of security issues in past years, but this flaw is potentially more damaging to users’ reputations and lives than previous security issues. Unlike the Cambridge Analytica scandal, in which the political consultancy was able to harvest Facebook user profile information through Facebook’s own system, the “access tokens” flaw has the potential to reveal personal information on millions of people since attackers could access and control any part of a user’s profile.
McCoy said in an email that attackers could have made any number of changes to compromised accounts.
“Some examples of how a Facebook account might have been misused include adding/deleting friends, post, Facebook apps, comments, likes, private messages,” McCoy said. “Any attack could also have changed the privacy setting of any existing content or changed the default privacy setting of future posts, comments, or likes.”
Facebook has not announced how many of profiles were accessed by attackers, but did say that the tokens of Facebook CEO Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg were among those taken.
The security issue also has the chance to be particularly bad for Facebook, coming amid growing scrutiny over the company’s handling of user data and its market power. Shortly after Facebook announced the flaw, U.S. and Ireland regulators issued statements saying they were looking in to the matter.
Under Europe’s General Data Protection Regulation (GDPR), Facebook could face a fine upwards of $1.6 billion, according to The Wall Street Journal.
Michael Veale, a technology policy researcher at University College London, said the episode might get regulators thinking more about login systems like Facebook’s single sign-on and how a breach in these systems can compromise data from other services.
“This makes the stakes quite high,” he said, “and if data was accessed from other apps that required a Facebook login, that could have significant consequences not just for the social network, but also for the other companies involved.”
It has not announced how many of those 50 million accounts were accessed or what if any information was taken ++add?++> since the error was first introduced 14 months ago.
Users concerned about the risk of using "Login with Facebook" may be able to convert any account they signed up for through their Facebook login to a different login, such as their email address, wrote Jackie Stokes, a cybersecurity advisor at Spyglass Security. Users can check their account settings on that service for options.
Errors like these are somewhat inevitable, experts say, especially in a large, complicated, and older product like Facebook that has a history of wanting to "move fast and break things." Signing up for a notification service that lets you know if your account has been part of a recent breach, like HaveIBeenPwned.com, could help give you an extra heads up when — not if — the next attack occurs.
“Software development introduces bugs as a by-product," wrote Stokes in an email. "This means a limited number of defenders are in a constant cat and mouse game with hundreds, maybe thousands of hackers who may be attempting to gain access to a major service such as Facebook.”
Jason Abbruzzese and Ben Popken reported from New York. David Ingram reported from San Francisco.