Almost 50 million user accounts were hacked at Facebook: Am I affected and what can I do?

Cybersecurity Threat Alert

Last week, Facebook had to contact the Irish data protection authorities. Almost 50 million profiles fell victim to a hacker attack. More than 90 million were logged out of their accounts as a precaution. We have compiled the most important questions and answers for you.

What happened?

Facebook has discovered that the digital access keys – so-called tokens – of around 50 million user accounts were stolen. These keys made it possible to break into user profiles. These keys usually serve the purpose of preventing users from having to re-enter their passwords on Facebook each time.

According to Facebook, the theft was possible due to vulnerabilities related to the “View from” feature. ¬†With its help, one’s own profile can be viewed from another person’s point of view. According to Facebook, the vulnerability has since been fixed and the relevant authorities have been notified. Facebook does not know who is behind these attacks or where the attack originated from.

What danger does the incident pose to users?

The cybercriminals had access to the profiles of those affected. This theoretically allowed them to access information in the accounts, write messages and post news. According to Facebook, it is not yet known whether the accounts were misused and what information was accessed. Another danger is the unauthorized use of accounts on websites and apps that use a Facebook login, such as Instagram, Airbnb or Spiegel Online. The perpetrators could also have accessed these services, but according to Facebook there is no evidence of this.

Who is affected?

Just under 50 million accounts are affected, according to Facebook. Their login data was reset to protect them from misuse. If you have been logged out of your account, it could be an indication that you have been affected. As a precaution, however, another 40 million accounts in which the “view ads from” feature was applied last year have been logged out, it said. The Irish Data Protection Authority announced on Twitter that less than 10 percent of affected users were from Europe.

What can I do?

Not a whole lot. Facebook took the first and most important step by automatically logging out nearly 90 million user accounts, thus invalidating the stolen keys. According to Facebook, it is not necessary to change your own password. For security, you can take two other measures.

1. Check access from foreign devices

On Facebook, you can easily check which devices had access to your account in the past time with the following steps:

Go to the menu -> “Settings” -> “Security and Login” -> “Where you are currently logged in”.

There you will find an overview of the devices used and you can also remove them in the menu next to the displayed device (“This is not you?”) if necessary.

2. Overview online services with Facebook login.

Facebook also gives you a quick overview of which websites and apps you use with the Facebook login.

Go to the menu, there to “Settings” -> “Apps and websites” -> “Logged in with Facebook”.

Here, all services that use a Facebook login and in which you are logged in are listed. You can log out of the affected service directly. This should renew the security key. At Facebook, it is also possible to remove the connection to the service if desired (Menu -> “Settings” -> “Apps and Websites” -> “Signed in with Facebook”-> mark the affected service and click “Remove”).

You can find more background information about the incident in the Facebook security update and the Facebook login update.