Yourthis week. The social networking giant on Friday said "almost 50 million accounts" were compromised, a discovery its engineers made on Tuesday. Here's what you need to know.
According to Facebook, "attackers exploited a vulnerability in Facebook's code that affected View As, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens, which they could then use to take over people's accounts."
What's an access token?
An access token keeps you logged into Facebook so you don't need to enter your password each time you visit the site or app. If an attacker has your token, then he or she has access to your account.
Was my account hacked?
Odds are it was not. While 50 million sounds like a big number, it's a small percentage of the more than two billion active Facebook accounts. If you go to your Facebook page and don't need to log in, then your account is safe -- it was not breached. If you go to your Facebook page and find that you are logged out, then your account may have been breached.
In response to discovering the attack, Facebook reset the access tokens of the 50 million accounts it found to be compromised, which will require those users to enter their password to log back in. Facebook also took the precaution to reset access tokens of an additional 40 million accounts for those users who used the "View As" feature in the last year.
If your account was affected, Facebook will notify you in a message at the top of your News Feed when you log back in to explain what happened.
Facebook has also temporarily turned off the View As feature while it investigates.
Has Facebook fixed the breach?
According to Mark Zuckerberg himself, "We patched the security vulnerability to prevent this attacker or any other from being able to steal additional access tokens." The company, however, still does not know who is responsible for the attack.
I'm still nervous. Should I change my password?
Facebook says there's no need to change your password, but it certainly wouldn't hurt to pick a new one. After all, the Cambridge Analytica fiasco was worse than Facebook initially believed or admitted.
You could also just log out of your Facebook account and then log back in without needing to change your password. This simple action will reset your access token, which should put any immediate worries to rest while we wait for Facebook to share more information about the attack.
To log out of Facebook on all of your devices, go to the Security and Login page and in the Where You're Logged In section, click See More and then click Log Out Of All Sessions.