Jump directly to the content
ZUCKING HELL

Facebook hackers got access to your Tinder, Spotify, Instagram, Messenger and Airbnb too

FACEBOOK'S latest hack attack doesn't just affect the social network – but loads of other sites too.

If you use Facebook to log into other services – like Instagram or Tinder – then Facebook hack attackers may have stolen all of your profile info, photos, private messages and more.

 Hackers were able to see absolutely anything they wanted to on your Facebook – including private info
4
Hackers were able to see absolutely anything they wanted to on your Facebook – including private info

On Friday evening, Facebook revealed that hackers were given access to 50million accounts.

This let them use your Facebook account "as if they were the account holder" – a shocking security gaffe.

But because of the way the hack worked, it also gave attackers the same level of access to any accounts you use Facebook to log in with.

So if you tied your Facebook to Messenger, Instagram, Spotify, Tinder and Airbnb, hackers will have been able to slip into those accounts too.

 Facebook's billionaire CEO Mark Zuckerberg declined to say whether he would stand down or not during a call with reporters on Friday
4
Facebook's billionaire CEO Mark Zuckerberg declined to say whether he would stand down or not during a call with reporters on FridayCredit: AP:Associated Press

It's all thanks to a major screw-up in Facebook's website code.

When you log into websites like Facebook, you get given an access token.

Access codes are like digital keys that remind the website – and other linked services – that you're logged in.

That's why when you close the Facebook tab and open it up again later, you're still logged in.

If you have an access token, you don't need to enter your username and password – because it means you're already logged into the website.

But last June, Facebook added a new video uploader tool that introduced a major bug.

The bug allowed hackers to generate access tokens for absolutely anyone on the website.

Unsurprisingly, hackers used this bug to create access tokens for 50million users across the site.

Facebook hack timeline – when did it all happen?

Here's what you need to know...

  • The vulnerability in Facebook's code was the result of three separate bugs
  • These were created in July 2017, when Facebook created a new video upload functionality
  • On September 16, 2018, Facebook discovered unusual activity, which manifested itself as a "spike in users", according to officials
  • Facebook then launched an investigation
  • On Tuesday, September 25, Facebook uncovered the attack and found the vulnerability
  • On Wednesday, September 26, Facebook notified law enforcement
  • On Thursday evening – September 27 – Facebook said it fixed the vulnerability
  • On Friday evening – September 28 – Facebook disclosed the vulnerability to the public
 Hackers were able to access 50million user accounts – with Facebook admitting that a further 40million users may also have been at risk
4
Hackers were able to access 50million user accounts – with Facebook admitting that a further 40million users may also have been at risk

Importantly, if you log into other services with Facebook, this access token would treat you as being logged into those services too.

So it doesn't matter how strong your password was, or whether two-factor authentication meant you need to receive a text or email code to log in.

The hack allowed attackers to convince these websites that they were already logged in – sneaking onto your account under the radar.

The only way to actually avoid being caught up in this hack was to (1) not have a Facebook account, or (2) get lucky, and not be targeted by the hackers.

They were also given complete access (as if they were you, effectively), and so could have accessed any part of your accounts.

"Because this issue impacted access tokens, it's worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications," said Tim Mackey, senior technical evangelist at Synopsys.

"If you've ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they've granted access rights to within Facebook."

Facebook hacked: Tech company head assures security improvements after attackers logged into 50million profiles and got access to posts, photos and messages in security breach ‘disaster’

Facebook hack – how did this breach happen

Here's how it worked...

  • Facebook's systems were compromised through the 'View As' feature
  • 'View As' lets you see your profile as another specific user would see it
  • The three bugs related specifically to a re-design of the video uploader tool
  • When using 'View As', the video uploader tool shouldn't have shown up at all
  • But on specific posts encouraging people to post happy birthday greetings, it did show up
  • The second bug was that the video uploader incorrectly used Facebook's single sign-on functionality, and generated an access token for the mobile app
  • The third bug was that when the video uploader showed up, the access token was generated for not you as the user, but for the user you were looking up
  • This was discovered by attackers, who were able to use this system to look up other users and get further tokens

The big fear is that hackers will have used automatic tools to harvest information from all 50million accounts that were compromised.

This means it's possible that hackers are currently sitting on photos, videos, and private messages for tens of millions of people around the world.

This data pool grows significantly when you add services like Tinder or Instagram into the mix.

And even if you weren't hacked yourself, messages you sent to people who were hacked may still be caught up in the hack.

This significantly increases the risk of identity fraud, blackmail, and even lost relationships.

If you've ever sent racy photos, made mean comments, or moaned about an employer on your Facebook – or in private messages – hackers may be ready and waiting to release this information right now.

 Hackers may have accessed your Tinder account
4
Hackers may have accessed your Tinder accountCredit: Getty Images - Getty

Hackers could also use the information they stole to defraud you, potentially gaining access to your bank accounts or other important services.

"Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over," said Sam Curry, chief security officer at Cybereason.

"Today, consumers are reminded again to watch their identities and credit for abuse.

"As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts."

Facebook's Mark Zuckerberg apologises to EU lawmakers over data leak at the European Parliament

If you were hacked, you'll have been logged out and received this notification.

If this is the final straw for you, follow our guide on how to delete Facebook permanently.

And it might disappoint you to find out Facebook faces a maximum fine of just £1.25billion – less than 3% of billionaire CEO Mark Zuckerberg's net worth.

A Spotify spokesperson told The Sun that although Facebook's systems allowed access to Spotify accounts, Spotify's own systems weren't directly breached.

"Spotify has not experienced a security breach," they said.

"However we recognise that many users repurpose login information across various platforms. As a precaution, anyone with concerns can update their Spotify password, or contact customer service who can assist."

What do you think should happen to Facebook after this hack? Let us know in the comments!


We pay for your stories! Do you have a story for The Sun Online news team? Email us at [email protected] or call 0207 782 4368 . We pay for videos too. Click here to upload yours.


Topics