Everything you need to know about Facebook’s data breach affecting 50M users

Facebook is cleaning up after a major security incident exposed the account data of millions of users. What’s already been a rocky year after the Cambridge Analytica scandal, the company is scrambling to regain its users trust after another security incident exposed user data.

Here’s everything you need to know so far.

What happened?

Facebook says at least 50 million users’ data were confirmed at risk after attackers exploited a vulnerability that allowed them access to personal data. The company also preventively secure 40 million additional accounts out of an abundance of caution.

What data were the hackers after?

Facebook CEO Mark Zuckerberg said that the company has not seen any accounts compromised and improperly accessed — although it’s early days and that may change. But Zuckerberg said that the attackers were using Facebook developer APIs to obtain some information, like “name, gender, and hometowns” that’s linked to a user’s profile page.

What data wasn’t taken?

Facebook said that it looks unlikely that private messages were accessed. No credit card information was taken in the breach, Facebook said. Again, that may change as the company’s investigation continues.

What’s an access token? Do I need to change my password?

When you enter your username and password on most sites and apps, including Facebook, your browser or device is set an access tokens. This keeps you logged in, without you having to enter your credentials every time you log in. But the token doesn’t store your password — so there’s no need to change your password.

Is this why Facebook logged me out of my account?

Yes, Facebook says it reset the access tokens of all users affected. That means some 90 million users will have been logged out of their account — either on their phone or computer — in the past day. This also includes users on Facebook Messenger.

When did this attack happen?

The vulnerability was introduced on the site in July 2017, but Facebook didn’t know about it until this month, on September 16, 2018, when it spotted a spike in unusual activity. That means the hackers could have had access to user data for a long time, as Facebook is not sure right now when the attack began.

Who would do this?

Facebook doesn’t know who attacked the site, but the FBI is investigating, it says.

However, Facebook has in the past found evidence of Russia’s attempts to meddle in American democracy and influence our elections — but it’s not to say that Russia is behind this new attack. Attribution is incredibly difficult and takes a lot of time and effort. It recently took the FBI more than two years to confirm that North Korea was behind the Sony hack in 2016 — so we might be in for a long wait.

How did the attackers get in?

Not one, but three bugs led to the data exposure.

In July 2017, Facebook inadvertently introduced three vulnerabilities in its video uploader, said Guy Rosen, Facebook’s vice president of product management, in a call with reporters. When using the “View As” feature to view your profile as someone else, the video uploader would occasionally appear when it shouldn’t display at all. When it appeared, it generated an access token using the person who the profile page was being viewed as. If that token was obtained, an attacker could log into the account of the other person.

Is the problem fixed?

Facebook says it fixed the vulnerability on September 27, and then began resetting the access tokens of people to protect the security of their accounts.

Did this affect WhatsApp and Instagram accounts?

Facebook said that it’s not yet sure if Instagram accounts are affected, but were automatically secured once Facebook access tokens were revoked. Affected Instagram users will have to unlink and relink their Facebook accounts in Instagram in order to cross post to Facebook.

On a call with reporters, Facebook said there is no impact on WhatsApp users at all.

Are sites that use Facebook Login also affected?

If an attacker obtained your Facebook access token, it not only gives them access to your Facebook account as if they were you, but any other site that you’ve used Facebook to login with, like dating apps, games, or streaming services.

Will Facebook be fined or punished?

If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.

However, that fine can’t be levied until Facebook knows more about the nature of the breach and the risk to users.

Another data breach of this scale – especially coming in the wake of the Cambridge Analytica scandal and other data leaks – has some in Congress calling for the social network to be regulated. Sen. Mark Warner (D-VA) issued a stern reprimand to Facebook over today’s news, and again pushed his proposal for regulating companies holding large data sets as ““information fiduciaries” with additional consequences for improper security.

FTC Commissioner Rohit Chopra also tweeted that “I want answers” regarding the Facebook hack. It’s reasonable to assume that there could be investigators in both the U.S. and Europe to figure out what happened.

Can I check to see if my account was improperly accessed?

You can. Once you log back into your Facebook account, you can go to your account’s security and login page, which lets you see where you’ve logged in. If you had your access tokens revoked and had to log in again, you should see only the devices that you logged back in with.

Should I delete my Facebook account?

That’s up to you! But you may want to take some precautions like changing your password and turning on two-factor authentication, if you haven’t done so already. If you’re weren’t impacted by this, you may want to take the time to delete some of the personal information you’ve shared to Facebook to reduce your risk of exposure in future attacks, if they were to occur.