Around 5 crores cybersecurity accounts were affected by a major cyber security breach, Facebook said on Friday adding that the vulnerability has been fixed and the police has been informed.
The loophole, says the company, was discovered in the "View As" feature, which allowed criminals to gain access to the affected accounts. "View As" allows users to see how their profile appears to other users. For the time being, this feature has been disabled by Facebook.
In a blog post, Guy Rosen, vice president, Product Management at Facebook, said on Tuesday afternoon the engineering team discovered a security issue which affected 50 million (5 crore) accounts, adding that the company was taking it very seriously and immediate action was taken to protect user's security.
How did it happen?
The attackers exploited a loophole in Facebook's code that impacted "View As" feature. This allowed them to steal access tokens which could be used to take over people's accounts.
Access token, which are similar to digital keys, allows users to stay logged on to Facebook in the background without needing to launch the app on a phone or use it on a browser.
The hackers were able to fool Facebook servers into believing they were the authorised users of the target's account thus getting full access and control of the affected accounts.
Facebook says the attack stemmed from the change they made to their video uploading feature in July 2017, which impacted the "View As" feature.
A cybersecurity expert says what is not known is since when the vulnerability existed, who the hackers were and to what extent the damage has been caused in terms of not only stealing profile data but in this case even personal messages, chats on messenger and every picture users have uploaded, including the ones hidden from friends/public, have been compromised.
What can users do?
Facebook says users don't need to reset their passwords as it will reset token accounts in the background if it finds more accounts affected.
But to be on the safe side users can log out of all the devices they are using to access Facebook and log in again. Users can also reset passwords and add two-step verification.