Hours after Facebook revealed the breach on Friday, some YouTube videos, which were seen several thousand times, described a method similar to the one used by the hackers to get access to the millions of Facebook accounts, The Telegraph reported on Saturday.
It's also not yet clear who is behind the attack on Facebook, or whether the attacks were targeted, and the reason behind it. Facebook has now patched the vulnerabilities and revoked the compromised access tokens, forcing affected users to log back in (though their passwords haven't been compromised, the company says) and notifying them about the issue.
Plaintiffs now fear that because of the Facebook breach their personal data may be easily accessible to hackers on the Dark Web.
So if you tied your Facebook to Messenger, Instagram, Spotify, Tinder or Airbnb, just to name a few, hackers will have been able to slip into those accounts too. But the benefit comes at a cost, all these platforms will share the same access credentials. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
The bug allowed hackers to generate access tokens for absolutely anyone on the website. So, the Facebook has temporarily disabled that feature.
Ireland's Data Protection Commission, which is Facebook's lead privacy regulator in Europe, said Saturday that it has demanded more information from the company about the nature and scale of the breach, including which European Union residents might be affected. Two-factor authentication involves the use of a one-time password as you try to log into your account. Simply put, it lets Facebook users preview their own accounts. It does not matter even if you have a two-factor authentication where you have to enter the OTP sent to your mobile to login to Facebook.
News broke early this year that data analytics firm that once worked for the Trump campaign, Cambridge Analytica, had gained access to personal data from millions of user profiles.
"Because this issue impacted access tokens, it's worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications", said Tim Mackey, senior technical evangelist at Synopsys.
In Facebook's case, the maximum sum would be approximately $1.63 billion.
Mark Warner [D., Va.], vice chair of the Senate Intelligence Committee, whose latest lambasting of Facebook came Friday, declined to comment today about the potential fine.
"The access token enables someone to use the account as if they were the account holder themselves".
Ed Mierzwinski, the senior director of consumer advocacy group U.S. PIRG, said the breach was "very troubling". There you will see a hyperlinked text saying "Where you're logged in".