Facebook discovered that data for 50 million users was breached (accessed by hackers) on September 25th, 2018.

Under Mark Zuckerberg’s leadership, this data breach could cost Facebook as much as $1.63 billion as estimated by the EU’s General Data Protection Regulation (GDPR) guidelines. The breach was possible due to 3 software flaws (known as bugs) that allowed hackers to obtain access tokens. Though Facebook has not figured out who is behind the attack, the company has admitted that the hackers were able to access users’ Facebook data as well as many services (such as Spotify) through which users had registered using their Facebook account.

spotify screenshot

Spotify assures its customers that its systems have not been breached and that their data was not compromised. Facebook claims to have fixed the issue as of September 27, 2018, and users can still sign in to the Spotify service using Facebook.

Facebook data for sale graphicIf your Facebook account was one of the affected ones, your data could be for sale by hackers for as low as $3.90. This security breach has implications beyond your Facebook password because hackers had access to your Facebook messages, photos, videos, friend list, and other identifying information.

Any account that users created using the “Log in with Facebook” feature could have also been accessed by hackers. This includes everything from Tinder to AirBnB, and everything in between.

How did hackers get access to so much Facebook data?

Hackers requested “access tokens” (or “digital access tokens”) from the Facebook system after they discovered the vulnerability caused by the three software bugs.

Anytime people sign onto a service online, the website issues them an access token. This token is used as a way to prove that you have entered the correct account information and should be signed in. Once hackers had access to users’ Facebook accounts, they were able to request access to services for which Facebook could create access tokens.

In other words, hackers were able to access accounts as if they were signed in as the authentic users. Since systems were tricked into believing that hackers were already signed in, passwords were not required and the two-factor authentication process was bypassed.

For many users, this means that hackers had access to private conversations, photos, and other content on Facebook as well services such as Tinder & AirBnB. During the breach, hackers had the ability to access dating conversations as well as past and future travel reservations.

Fast Company has some security tips for those concerned about their Facebook data. This blog will be updated as new information becomes available.