The Facebook app typically keeps you logged in pretty much forever, so you can pop by at any time and scroll through your feed (and look at a few ads while you’re at it). This morning, however, 90 million users found that they had to log back in thanks to a “your session has expired” error message. It seemed like a simple bug, but it’s actually the result of a “security issue” that Facebook discovered earlier this week that could affect the personal data of up to 50 million users.
According to Facebook’s statement, Facebook employees originally noticed the issue on Tuesday, September 25. The problem arose from an exploit within a feature called “view as,” which allows users to see their pages how others would. This feature required the use of an “access token,” which is what hangs around your computer or phone to keep you logged in at all times.
By stealing that access token, people with bad intentions could “take over” an account, Facebook says. According to statements made after the initial revelation, the vulnerability traced back to a utility that allowed users to upload “Happy Birthday” videos to their feeds.
Facebook says it has fixed the issue and that it revoked the access tokens for the 50 million accounts that may be affected, as well as 40 million more that have been subject to a “view as” lookup within the last year.
The company has disabled “View As” functionality for the moment, which it says will prevent further account hacks. However, the company goes on to say that the investigation is just getting started, so if you get randomly logged out of all your Facebook stuff in the coming months or weeks, you may also get a security notice once you’re in. Even if you don’t see a notice when you log in (I didn’t when it happened to me this morning), it’s probably a good idea to check the Facebook newsroom to see if more accounts were affected.
This investigation will likely go on for some time and Facebook is reportedly already working with the FBI because of the complexity of the attack. The company hasn’t said whether or not it’s possible that a foreign actor or even a nation-state could be involved, but it’s a question we will likely hear a lot as the probe progresses.
Right now, Facebook says you don’t have to change your passwords because the hackers used a side entrance to your account rather than compromising your login. The company also says that credit card information is safe if you have it stored in your account, but it can never hurt to be vigilant about your other accounts and logins.
We will update this article with future developments.