This morning many of us woke to news of a Facebook security breach.
Zuckerberg has done the now standard post to his timeline on Facebook to explain the drama.
The issue occurred on Tuesday (US time), when they discovered an attacker had exploited a technical vulnerability in the ‘View As’ feature and stole access tokens that would allow them to log into about 50 million people’s accounts on Facebook. Yep, that’s bad.
If you were one of the impacted accounts, then you’ll receive a notification when you next load the app or website. It is important to remember this is different than your username or password, so no need to panic on that front. It is a difficult situation, because there’s no user action that would have prevented this from occurring.
Facebook has since disabled this feature, typically used by Page Admins to see how your Page would appear to regular users.
Zuck says they’ve invalidated the tokens, so they’re no longer useful to the attacker, but until and investigation is completed, we won’t know what was done with user account access in the time between the theft of the tokens and when they were terminated.
More information at Facebook’s Newsroom.