The shocking report comes as Facebook is in the grips of a major identity theft crisis in which criminals exploited a bug giving them access to 50 million user accounts.
The latest attack hasn’t just impacted the social network, but many other sites as well.
On Friday evening, Facebook revealed that hackers had gained access to 50 million accounts.
This let them use your Facebook account “as if they were the account holder” — a shocking security gaffe.
But because of the way the hack worked, it also gave attackers the same level of access to any additional social media accounts you use Facebook to log in with.
So if you tied your Facebook to Messenger, Instagram, Spotify, Tinder or Airbnb, the hackers will have been able to slip into those accounts too, accessing your profile information, photos, private messages and more.
It’s all thanks to a major screw-up in Facebook’s website code.
When you log in to websites like Facebook, you are given an access token.
Access codes are like digital keys that remind the website, and other linked services, that you’re logged in.
That’s why when you close the Facebook tab and open it up again later, you’re still logged in.
But last June, Facebook added a new video upload tool which introduced a major bug.
The bug allowed hackers to generate access tokens for absolutely anyone on the website.
Unsurprisingly, hackers used this bug to create access tokens for 50 million users across the site.
Importantly, if you log in to other services with Facebook, this access token would treat you as being logged in to those services too.
So it didn’t matter how strong your password was, or whether two-factor authentication meant you need to receive a text or email code to log in.
The hack allowed attackers to convince these websites that they were already logged in — accessing your account under the radar.
Hackers were also given complete access (as if they were you, effectively), and so could have accessed any part of your accounts.
The only way to actually avoid being caught up in this hack was to (1) not have a Facebook account, or (2) get lucky, and not be targeted by the hackers.
“Because this issue impacted access tokens, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications,” Synopsys senior technical analyst Tim Mackey said.
“If you’ve ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their app settings to see which applications and games they’ve granted access rights to within Facebook.”
Source: The Sun UK, Money Guru, Facebook, Hackattack