Jump directly to the content
Revealed
ANTI SOCIAL

Facebook hack may have given attackers access to nearly FIVE MILLION Brit profiles

FACEBOOK'S latest breach may have left nearly five million Brits exposed – with attackers gaining access to their profiles, posts, photos, videos and private messages.

The monumental security blunder affected 50million accounts globally, making the Facebook hack one of the most devastating in history.

Facebook recently admitted that it had left virtual doors wide open for hackers to access 50million accounts
3
Facebook recently admitted that it had left virtual doors wide open for hackers to access 50million accountsCredit: AFP or licensors

According to Ireland's Data Protection Commission, Facebook is yet to stump up actual figures about how many Europeans were affected.

But a DPC spokesperson said they now have a rough idea: "Facebook issued a blog on Friday last indicating that 50million accounts were potentially affected by a security issue.

"We understand that the number of EU accounts potentially affected is less than 10% of that.

"Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon."

Tech tyrant Mark Zuckerberg's social network serves more than 2.23billion users every single month
3
Tech tyrant Mark Zuckerberg's social network serves more than 2.23billion users every single monthCredit: AP:Associated Press

That potentially means that 10% of the 50million globally-affected accounts were British – meaning as many as five million Brits were hacked.

However, it's almost certainly going to be fewer people than that.

The EU's population currently stands at around 526million people, while the UK's population is far smaller at 65.64million.

That means Britain makes up around 12% of the entire EU population, so the actual figure of hacked users is probably closer to 12% of 5million.

So we'd probably expect somewhere in the region of 600,000 Brits to have been caught up in Facebook's hack attack.

According to Facebook, specific details will come soon.

"We're working with regulators including the Irish Data Protection Commission to share preliminary data about Friday's security issue," a Facebook spokesperson said.

"As we work to confirm the location of those potentially affected, we plan to release further info soon."

Users caught up in the hack will have been logged out and served with this notification – but at least four users told The Sun that they didn't receive the pop-up on Friday
3
Users caught up in the hack will have been logged out and served with this notification – but at least four users told The Sun that they didn't receive the pop-up on Friday

Facebook hack – how did this breach happen

Here's how it worked...

  • Facebook's systems were compromised through the 'View As' feature
  • 'View As' lets you see your profile as another specific user would see it
  • The three bugs related specifically to a re-design of the video uploader tool
  • When using 'View As', the video uploader tool shouldn't have shown up at all
  • But on specific posts encouraging people to post happy birthday greetings, it did show up
  • The second bug was that the video uploader incorrectly used Facebook's single sign-on functionality, and generated an access token for the mobile app
  • The third bug was that when the video uploader showed up, the access token was generated for not you as the user, but for the user you were looking up
  • This was discovered by attackers, who were able to use this system to look up other users and get further tokens

Facebook announced the hack late on Friday, slipping the news out in a blog post.

The company revealed that a bug introduced in June 2017 allowed hackers to acquire access tokens for any user.

Access tokens are like digital keys that remind websites that you're already logged in.

So if you close a Facebook tab and re-open it, you'll still be logged into your account.

If someone can get your access token, Facebook will treat them as if they're already logged into your account – bypassing emails, passwords, and two-factor authentication.

According to Facebook, at least 50million people were caught up in the attack – with a further 40million potentially at risk too.

In response, Facebook forced log-outs for all 90million potentially affected users.

Hackers who gained access to your account would've been able to browse your Facebook "as if they were the account holder", according to Facebook.

They would've been able to see all of the sensitive info on your account, and even snoop on your private messages.

Facebook hacked: Tech company head assures security improvements after attackers logged into 50million profiles and got access to posts, photos and messages in security breach ‘disaster’

Facebook hack timeline – when did it all happen?

Here's what you need to know...

  • The vulnerability in Facebook's code was the result of three separate bugs
  • These were created in July 2017, when Facebook created a new video upload functionality
  • On September 16, 2018, Facebook discovered unusual activity, which manifested itself as a "spike in users", according to officials
  • Facebook then launched an investigation
  • On Tuesday, September 25, Facebook uncovered the attack and found the vulnerability
  • On Wednesday, September 26, Facebook notified law enforcement
  • On Thursday evening – September 27 – Facebook said it fixed the vulnerability
  • On Friday evening – September 28 – Facebook disclosed the vulnerability to the public

Worse still, the breach also exposed other third-party services that use Facebook's log-in feature.

So if you log into apps like Tinder, Messenger, Instagram, Spotify or Airbnb using Facebook, hackers would've been able to get into those apps too.

This means the hack puts users at significant risk of identity fraud and blackmail – especially if hackers automated data collection across the 50million accounts.

MOST READ IN TECH

Change password now if it's on this list – hackers can crack log-in in seconds
CODE RED

Change password now if it's on this list – hackers can crack log-in in seconds

Brit motorists warned over false DVLA email about failed vehicle tax payment
MAIL FAIL

Brit motorists warned over false DVLA email about failed vehicle tax payment

PS5 Pro price has DROPPED already at Argos days after new console is released
GAME ON

PS5 Pro price has DROPPED already at Argos days after new console is released

AI scam-baiting GRANNY gets revenge on dodgy callers by rambling about family
GOOD CALL

AI scam-baiting GRANNY gets revenge on dodgy callers by rambling about family

Facebook's Mark Zuckerberg apologises to EU lawmakers over data leak at the European Parliament

Facebook may be facing a significant fine of £1.25billion from the EU as a result – the maximum possible penalty that can be applied.

But yesterday The Sun revealed how this figure actually only equates to less than 3% of billionaire CEO Mark Zuckerberg's personal fortune.

And the sum is worth just 0.03% of Facebook's current total market value – barely a slap on the wrist.

The security blunder seems even worse when you consider that slippery Zuck once called Facebook users "dumb f***s" for handing their personal info over to him.

Do you think Brits deserve compensation after this stunning cybersecurity gaffe? Let us know in the comments!

We pay for your stories! Do you have a story for The Sun Online news team? Email us at [email protected] or call 0207 782 4368 . We pay for videos too. Click here to upload yours.

Topics
YOU MIGHT LIKE
RECOMMENDED FOR YOU
MORE FOR YOU