Facebook security issue affects 50M user accounts

The ACSC is aware of a security issue affecting 50 million Facebook user accounts.

A flaw in the “View As” feature allowed attackers to steal Facebook access tokens, which could be used to take over user’s accounts. Access tokens are the equivalent of digital keys that allow users to remain logged into Facebook.

‘This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted the “View As” feature’, Facebook stated on their website.

Facebook say they have fixed the vulnerability and have  informed law enforcement agencies.

To minimise the risk of further breaches, Facebook users should log out of any associated websites that use Facebook credentials. Users should visit the “Security and Login” section on Facebook to make any changes.

It is unknown at this stage the impact to Australian users.

Head of ACSC, Alastair MacGibbon, is reminding people to watch out for possible phishing attacks. ‘Australians should keep a look out for any unusual activity from friends or family on their Facebook accounts.’

‘This is a timely reminder for Australians to be constantly wary of criminals seeking to exploit their personal information online.’

The ACSC is working closely with the Privacy Commissioner to establish if Facebook has violated any terms in the Privacy Act 1988.

What you should do

Facebook recommend users who are having issues logging in should visit the Help Centre page. And users who want to log out of Facebook accounts should visit the “security and Login” section in the settings.¬†

For further information, see Facebook’s Security Statement.

How to protect yourself

The ACSC has a number of preventative measures Australians can take if they are the target of a phishing scam:

  • Change any passwords you have revealed.

  • Inform the organisation the scammer pretended to be from.

  • If you’ve sent money or personal banking details to a scammer contact your bank immediately. Most big banks will cover any loss if someone makes an unauthorised transaction on your account, as long as you have protected your client number and passwords.

  • IDCare is Australia and New Zealand’s national identity and cyber support service and is available on 1300 432 273 if you believe your personal information has been put at risk.

  • Report scams to the Australian Competition and Consumer Commission’s Scamwatch. Include as much information as possible about the scam message in your report (e.g. the email itself, or a screenshot).

  • If the phishing has led to a crime, file a report with Australian Cybercrime Online Reporting Network (ACORN).

More information

Visit cyber.gov.au to learn more about cyber security, including common threat types and understanding how passwords can be your first line of defence.

For cyber security advice or to report a cyber incident or threat, you can email [email protected] or call 1300 CYBER 1 (1300 292 371).

Visit the OAIC website for further information on the incident.