Las Vegas Review-Journal (Sunday)
■ Users wonder what comes next in Facebook’s major data breach.
NEW YORK — For users, Facebook’s revelation of a data breach that gave attackers access to 50 million accounts raises an important question: What happens next?
For the owners of the affected accounts, and of another 40 million that Facebook considered at risk, the first order of business may be a simple one: sign back into the app.
Facebook logged everyone out of all 90 million accounts in order to reset digital keys the hackers had stolen — keys normally used to keep users logged in, but which could also give outsiders full control of the compromised accounts.
Next up is the waiting game, as Facebook continues its investigation and users scan for notifications that their accounts were targeted by the hackers.
What Facebook knows so far is that hackers got access to the 50 million accounts by exploiting three distinct bugs in Facebook’s code that allowed them to steal those digital keys, technically known as “access tokens.” The company says it has fixed the bugs.
Users don’t need to change their Facebook passwords, it said, although security experts say it couldn’t hurt to do so.
Neither passwords nor credit card data was stolen, said Guy Rosen, Facebook’s vice president of product management. He said the company has alerted the FBI and regulators in the United States and Europe.
Jake Williams, a security expert at Rendition Infosec, said he is concerned that the hack could have affected third party applications.
Facebook confirmed late Friday that third party apps, including its own Instagram app, could have been affected.
“The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves,” Rosen said.