“If you’ve ever wondered what keeps you logged into your account even after you restart your laptop/browser - those are access tokens (cookies). In this case, hackers were able to steal these tokens. It means the hacker could fool Facebook servers to believe they are the authorised users of the target’s account that would give the attacker complete access to the target’s account,” explained Saket Modi, CEO & Co-Founder, Lucideus.
Facebook had said it had invalidated access tokens for the accounts, causing those users to be logged out.
"These people will now have to log back in to access their accounts again and we will also notify these people in a message on top of their News
Feed about what happened when they log back in," the Facebook CEO Zuckerberg had said.
Anand Prakash, founder of cyber security company AppSecure, said even though the social networking website has reset all the access tokens which were impacted, it doesn’t solve the problem because most of the websites have login from Facebook option, including Instagram, Tinder, MakeMyTrip, SnapChat and Zomato.
“So if an attacker had used my access token to log into another account, say MakeMyTrip, my session is still valid and it can be accessed by the hacker, and Facebook does not have any control on that,” said Prakash, whose own account was also compromised in August.
As a precaution, Modi said, “I recommend all Facebook users to log out and re-login into all the gadgets that you have your Facebook session active like your cell phone (app or browser), laptop, desktop.”