Here is what happened and what it means to you.
Shortly after midnight this morning Facebook posted a security notification about a discovered and exploited vulnerability that happened 3 days previously that impacted almost 50 million accounts with an additional 40 million accounts proactively reset as a precaution bringing the number of impacted accounts to 90 million. Based on a total user base of 2 billion this is impacting less than 1% of all Facebook accounts. Something to think about.
So what happened?
Exploiting a chain of 3 vulnerabilities surrounding the “View As” feature attackers were able to capture session keys used to authenticate user sessions with Facebook.
A session key is a feature that allows an app or device to remember a recent login that is unique to the user account (username/password) and the device or application. This allows you to open the Facebook app on your phone without having to re-enter your user name and password for that device but you have to use your username and password when using a new device.
Having access to valid session keys would allow an attacker to impersonate a known device (phone/laptop etcc.) to gain access to an account. This would permit account takeover.
Has Facebook done enough?
Yes, they have disabled the feature that allowed access, reset 90 million account sessions meaning some users will need to re-enter their username and password, notified authorities and made a public statement. This follows the basic steps of dealing with breaches being Detection, Containment, Disclosure and Investigation.
What can you do to help?
There is not much that could have been done by users to prevent this. However turning on Two Factor Authentication is one of the best things you can do to make it incredibly hard for the bad guys to get access.
So while everyone else is freaking out and getting angry, I am comfortable with the risks of using Facebook. Accordingly, I keep a lid on what I post and use Two Factor Authentication where possible.
For Two Factor Authentication, I use the Google Authenticator App on my phone. You can learn more about it here (https://www.google.com.au/landing/2step/).