Facebook has announced a massive data breach affecting almost 50 million accounts. This breach, the largest in the company’s history, was discovered on September 25 and announced three days later. So far there is little information about the full impact, the motive, who may have been targeted, or whether the data accessed was misused. Here’s what we do know: What Happened Vulnerabilities in Facebook’s code allowed attackers to directly take over user accounts by stealing “access tokens” which are essentially keys to an account. These tokens act as authorization that keeps users logged in to their accounts over time without having to re-enter a password. Facebook discovered the breach because it noticed an unusual spike in users on September 16, prompting investigation. The company has said that the attackers could see everything in a victim’s profile, though there is still no information about the potential misuse of this data. According to CEO Mark Zuckerberg, “So far, our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts, but this, of course, may change as we learn more.” Facebook has stated that passwords and payment information were not compromised. how accounts were accessed This breach was made possible because of three distinct flaws in Facebook’s code that, combined, allowed attackers to see a user’s access token in the page’s HTML. This vulnerability has existed since July 2017 when Facebook implemented new video upload functionality. The “View As” page, normally a read [...]