Gamasutra is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
May 24, 2019
arrowPress Releases

If you enjoy reading this site, you might also want to check out these UBM Tech sites:

50 million Facebook accounts hit by account hijacking security exploit

50 million Facebook accounts hit by account hijacking security exploit

September 28, 2018 | By Alissa McAloon

Facebook has learned of a security vulnerability that has opened up millions of its users to account theft over the past year, though the company notes it is still investigating any impact the exploit has had to date.

While the exploit wasn’t related to Facebook’s game platform itself, the issue potentially affects 50 million Facebook accounts, making it an issue developers using the platform should be well aware of.

The issue itself is detailed in a blog post shared by Facebook and has since been fixed and reported to law enforcement. While the cause for the vulnerability seems to, by Facebook’s reports, be the result of several different small issues in the platform’s code, the core issue itself involved the “view as” feature that is intended to let a user see what information they’re showing other Facebook users. 

However, an issue with “View As” instead let attackers take access tokens from Facebook accounts and allow them to hijack those accounts themselves by using the tokens to log in as an exploited user. 

Facebook says that it has now reset the access tokens of the nearly 50 million accounts it knows to be affected, and has reset the access tokens for an additional 40 million accounts that aren’t known victims but had “View As” activity in the past year. Any affected users will have to log back into Facebook, both on the site and any third-party apps or locations using Facebook login, and have been sent a notice about the issue.

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” reports Facebook. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.”

Related Jobs

Sucker Punch Productions
Sucker Punch Productions — Bellevue, Washington, United States

Lighting Artist
Petroglyph Games
Petroglyph Games — Las Vegas, Nevada, United States

Senior Game Engineer (C++)
Deep Silver Volition
Deep Silver Volition — Champaign, Illinois, United States

Senior Animator
Intrepid Studios
Intrepid Studios — San Diego, California, United States

UX Designer

Loading Comments

loader image