Skip to main content

The ACSC is aware of a security issue affecting 50 million Facebook user accounts whereby a flaw in the 'View As' feature allowed attackers to steal Facebook access tokens, which could be used to take over user's accounts. Access tokens are the equivalent of digital keys that allow users to remain logged into Facebook.

Alert status
MEDIUM

'This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted the "View As" feature', Facebook stated on their website.

Facebook say they have fixed the vulnerability and have  informed law enforcement agencies.

To minimise the risk of further breaches, Facebook users should log out of any associated websites that use Facebook credentials. Users should visit the "Security and Login" section on Facebook to make any changes.

It is unknown at this stage the impact to Australian users.

Head of ACSC, Alastair MacGibbon, is reminding people to watch out for possible phishing attacks. 'Australians should keep a look out for any unusual activity from friends or family on their Facebook accounts.'

'This is a timely reminder for Australians to be constantly wary of criminals seeking to exploit their personal information online.'

The ACSC is working closely with the Privacy Commissioner to establish if Facebook has violated any terms in the Privacy Act 1988.