Were you logged out of Facebook recently? Maybe booted off from Instagram, Messenger and sites that you had logged into with Facebook too?

That was Facebook hitting the panic button after a mass hack that allowed attackers to gain full control over users accounts took place.

All in all, 90 million accounts were logged off and as Facebook founder Mark Zuckerberg told media, "this is a really serious security issue". Zuckerberg and chief operating officer of Facebook Sheryl Sandberg's accounts were both accessed in the attack and the actual number of compromised users could grow thanks to social network being everywhere.


Someone figured out how to use three separate bugs together so as to create a major vulnerability, ironically enough through the View As privacy feature that lets you check what other people can see on your Facebook page.

One of the bugs in Facebook's video uploader used for wishing people happy birthday would generate a new Open Authorisation (OAuth 2) access token, for the user that the attacker was viewing a page as.

Those OAuth access tokens allows apps access to people's data without them having to give out usernames and passwords. It's convenient, and having people logged into Facebook via access tokens also boosts the social network's active user figures.

Facebook calls the access tokens "digital keys" and they really need to be kept safe. If an attacker gets hold of them, it's game over for your accounts everywhere that use Facebook logins. Think smartphone apps, websites, comments sections and more.

What happened here was that Facebook not only didn't keep the digital keys safe, but its software happily handed over 50m new ones to the attacker. A hacker jackpot of epic proportions that bypassed strong, unique passwords and two-factor authentication.
This happened because of bugs (although it sounds like misconfiguration was the case) that were, wait for it, introduced 14 months ago. Facebook has no idea if the vulnerability was exploited prior to this month.

Linking Facebook and Instagram accounts isn't necessarily a good idea. Photo/Getty Images.
Linking Facebook and Instagram accounts isn't necessarily a good idea. Photo/Getty Images.

That's when Facebook noticed a huge spike in activity, as the attacker accessed people's profiles. Experience from past data breaches indicates the info from the taken Facebook profiles will likely be used to personalise phishing emails for greater authenticity.

We don't know who's behind the attack yet, but a well-known Taiwanese researcher and bug bounty hunter claimed credit for finding the vulnerability and allegedly threatened to delete Zuckerberg's Facebook account in a livestream.

He didn't embark on that career-limiting move, however, and instead posted screenshots of messages from Facebook's security team saying they were able to replicate the vulnerability and acknowledged it. The researcher is unlikely to get bounty money in this instance.


While we wait for a full post-mortem on the hack to discover just how many accounts were affected, head over to Facebook's security and login page and check for any unusual activity.

The lesson here is not to use social media accounts to log into services anywhere - and be very careful if you link, for instance, your Facebook and Instagram.

Sure, it's convenient but you get tracked by social media companies and could put your personal (and business) information in danger. That's not worth it.