Kindle Forum banner

1 - 14 of 14 Posts

·
Administrator
Joined
·
63,461 Posts
Discussion Starter #1
I recommend that folks at least do the bit in bold...and check their settings

Betsy

Press release by FB:
https://newsroom.fb.com/news/2018/09/security-update/

By Guy Rosen, VP of Product Management

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security.

Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app.

Here is the action we have already taken. First, we've fixed the vulnerability and informed law enforcement.

Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We're also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Third, we're temporarily turning off the "View As" feature while we conduct a thorough security review.

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted "View As." The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don't know who's behind these attacks or where they're based. We're working hard to better understand these details -- and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.

People's privacy and security is incredibly important, and we're sorry this happened. It's why we've taken immediate action to secure these accounts and let users know what happened. There's no need for anyone to change their passwords. But people who are having trouble logging back into Facebook -- for example because they've forgotten their password -- should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the "Security and Login" section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.
Email
Category: Company News
 

·
Registered
Joined
·
12,250 Posts
I had a android device logged in from Moscow Russia since June  :eek:. I don't really use facebook so there is no info on it other than 2 groups I entered and then promptly couldn't find anymore as facebook is so confusing. I un-logged that device and changed my passport. There were no postings made from my account or anything else changed. Still the same pretty  unused account. I am thinking they were collecting a bunch so they can use the more active ones to send out fake stuff. Since my log on is from Russia I assume that is where this mess originated. Yet again.
 

·
Administrator
Joined
·
63,461 Posts
Discussion Starter #3
I had some logins from Longwood, MD.  Can't recall being there.  I disallowed all of those.  Gonna change my password and maybe institute two step verification.
 

·
Registered
Joined
·
12,250 Posts
Well at least for you there might be a teeny possibility with MD. I know I never been to Russia, especially since June so its pretty obvious.  8)

I just changed passports of some other stuff too while I was at it. Was about time anyway. 2 step can be a bit of a pain, but it works. I use it at Amazon too. They have to ask me the code when I call customer service even.
 

·
Registered
Joined
·
10,391 Posts
Betsy the Quilter said:
I had some logins from Longwood, MD. Can't recall being there. I disallowed all of those. Gonna change my password and maybe institute two step verification.
The location is probably a "best guess" based on IP address. If that's a nearby town, it's probably fine. If it's hundreds of miles away from anywhere you've been, maybe not. Anything in between...? :) In any case, no harm in logging anything/everything out, and then logging in again when needed (other than remembering your password :) ).
 

·
Administrator
Joined
·
63,461 Posts
Discussion Starter #6
Yeah, I looked at the location on Google maps and the date and really don't think I was there....  Though I could have been logged into a network that registered as Longwood, MD....  who knows.
 

·
Administrator
Joined
·
63,461 Posts
Discussion Starter #8
Chad Winters said:
if you use a VPN...I often do in public wifi areas....it may spoof your location as somewhere else in the world
I wondered about that, but I only recently, while in London, played with using a VPN. So, I think in my case, it was probably using my stepson's network--he's closest to the location shown.

We learn something every day...

Betsy
 

·
Administrator
Joined
·
63,461 Posts
Discussion Starter #9

·
Registered
Joined
·
12,250 Posts
I am not sure if I trust them to be totally open about how many accounts this really affected. They say that if you were not signed out, you were not affected. I was still signed in. Not signed out, but yet, I found a logged in device from Russian in my settings. There was no indication my account was part of the 50 million. But something obviously went on with it. I don't believe them. How could they not have known that one could "steal" those tokens to view the profile. After all these years.
 

·
Administrator
Joined
·
63,461 Posts
Discussion Starter #11
Yeah, the C|Net article makes that point and advises that it can't hurt to change one's password.

Betsy
 

·
Administrator
Joined
·
63,461 Posts
Discussion Starter #12

·
Administrator
Joined
·
63,461 Posts
Discussion Starter #14
Atunah said:
Not something I ever did, signing in with facebook. Might be more work, but I pretty much create sign ins for everything on my own.
And I think that's the right thing to do, Atunah!

Betsy
 
1 - 14 of 14 Posts
Top