More unsettling news for Facebook users: 50 million accounts have been exposed to hackers through a vulnerability in the “View As” feature, which is designed to let you see your profile as it appears to others.
If you had to sign back into your account today, you may be among the affected group.
Here’s what happened
Facebook’s security team discovered the View As vulnerability on Tuesday. Hackers exploited this feature to steal access tokens from users who’d recently previewed their profiles.
An access token is basically an identifier that lets you stay signed in to your account.
According to Guy Rosen, VP of Product Management at Facebook, it’s still unclear whether hackers actually took information from within the exposed accounts or otherwise “misused” them.
“We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” Rosen writes in the September 28, 2018 press release.
Facebook reset access tokens for the 50 million known-exposed accounts, plus 40 million additional accounts that have used the “View as” feature in the past year.
How to protect yourself
“The good news is, Facebook’s token reset should have already sealed out bad actors,” says Ian Kirk, director of cloud services at Asurion. “They’ve also patched the vulnerability and shut down the ‘View As’ feature for now. It’s still always good practice to use long passwords, and to change them frequently.”
There are a few basic precautions you can take to sleep a little more soundly tonight:
- Sign out of your account: Even if you weren’t among the initial group of 90 million, you can never be too careful. Open Facebook and tap Settings > Log Out. This will reset your access token and kick out anyone who might have gained access.
- Sign out of linked accounts: If you use Facebook to sign in to other accounts (like Instagram, Pinterest, or Tinder), you may want to sign out of those services, too. Visit the Account Settings page, tap Apps and Websites, and choose Logged in with Facebook. Select apps/services on the list, then tap REMOVE to sign them out.
- Check your profile: Look for anything out of place, such as posts you don’t recognize, missing information, or profile changes you didn’t make.
- Remove personal info: Getting hacked is never ideal, but you can prevent your personal info from being stolen by keeping it off Facebook. Remove things like birthdays, addresses, phone numbers, etc. to make sure your data doesn’t fall into the wrong hands.
Facebook’s investigation of the incident is ongoing, so stay tuned for more updates. This also may be a good opportunity to comb through your albums from 2010 and remove a few potentially compromising photos. Just a thought.