Facebook users must log out, re-login into gadgets, at all times: Experts

As the newly-appointed Facebook India MD takes charge next year, he will have his plate full of responsibilities. Apart from working on Facebook’s India strategy and driving the social network giant’s investments in the country, he will have to clear the air on Facebook data breach, which has impacted over 50 million users around the globe.

Since India is the biggest market for the Mark Zuckerberg-founded company with over 270 million users, a major number of accounts from here are likely to have been compromised.

Basically, this breach disclosed the access token of the users and the whole Facebook app runs on access tokens. It was leaked for about 50 million users because of which the attacker could impersonate the user completely without knowing his/her ID or password. 

“If you’ve ever wondered what keeps you logged into your account even after you restart your laptop/browser - those are access tokens (cookies). In this case, hackers were able to steal these tokens. It means the hacker could fool Facebook servers to believe they are the authorised users of the target’s account that would give the attacker complete access to the target’s account,” explained Saket Modi, CEO & Co-Founder, Lucideus.

Facebook had said it had invalidated access tokens for the accounts, causing those users to be logged out.

"These people will now have to log back in to access their accounts again and we will also notify these people in a message on top of their News Feed about what happened when they log back in," the Facebook CEO Zuckerberg had said.

Anand Prakash, founder of cyber security company AppSecure, said even though the social networking website has reset all the access tokens which were impacted, it doesn’t solve the problem because most of the websites have login from Facebook option, including Instagram, Tinder, MakeMyTrip, SnapChat and Zomato.

“So if an attacker had used my access token to log into another account, say MakeMyTrip, my session is still valid and it can be accessed by the hacker, and Facebook does not have any control on that,” said Prakash, whose own account was also compromised in August.

As a precaution, Modi said, “I recommend all Facebook users to log out and re-login into all the gadgets that you have your Facebook session active like your cell phone (app or browser), laptop, desktop.”

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel