62

A while ago, I was opening Facebook app on Android and then I got the message "Session expired. Please log in again.". I then tried logging in with my current password and was success to log in my account. Before, long time ago, when I created this account, I'd set up two-factor authentication for my account and when I checked after I did the log in, it was still active.

After that, I opened my laptop and Chrome then went to Facebook, just to find out that the session on PC was also logged out. After I logged back in, I went to security under settings and checked the section "When you're logged in" and I saw that all of the past logged in entries are gone. The only entries I got were those log in on my phone and my laptop (also appeared to be my trusted devices).

I was thinking of someone had tried (and succeeded?) to access my account, then logged out of all current sessions. However, I did not get any suspicious prompt on my phone to authenticate an unusual log in (Like "Did you just logged in near location xxxxx?"), also no warning email from my registered email telling me about my account being accessed on an unrecognized browser or computer.

Tl;dr: Facebook account suddenly got logged out of all devices, password was not changed, logged in entries are gone, no email warning about account being compromised, no two-factor authentication prompt showed up.

My questions are:

  • Are there any chances that someone was successfully able to get into my account? If yes, then how could they bypass the two-factor authentication?

  • Is that incident normal or I should take security actions?

Thank you!

MattCat15
  • 701
  • 1
  • 5
  • 6
  • Which 2FA method do you use? I don't remember which methods Facebook provides, but SMS are weak because someone can impersonate you and obtain a SIM with your number easily, thus receiving the SMS instead of you (happened several times. There was a serial impersonificator that targetted big youtube creators and deleted their channels. They did this to multiple creators). However if this was the case your SIM shouldn't be working right now. Other types of 2FA would be harder to break without getting access to the trusted device. Maybe the sessions just expired. – Giacomo Alzetta Sep 28 '18 at 14:19
  • I use both SMS and the Code Generator from the Facebook for Android app. About the SMS, my SIM is still working fine. For the Code Generator, I actually don't have to open the Facebook app to get the OTP code. There will be a prompt in the swipe-down notification bar, I can click "Yes" to verify my log in, or "No" in case of suspicious activities. After I clicked "Yes", the browser will automatically redirect me to the News Feed. – MattCat15 Sep 28 '18 at 14:28
  • 1
    I believe you should remove SMS. They do not really add any security and in fact they reduce it by alot (as I said: it's quite easy to convince someone at a SIM shop to give you a SIM for an existing number. So basically it renders your password useless). AFAIK from what you told I don't think anything fishy about this, maybe you created the sessions on all your devices almost at the same time and they all expired in a short period of time. – Giacomo Alzetta Sep 28 '18 at 14:34
  • I was logged out on all devices, but also in a same device twice after logging in again after the first logout. – Roland Pihlakas Sep 28 '18 at 22:50
  • 49
    **+1 for noticing you were asked to log in unexpectedly.** Noticing when a security measure (such as authentication) is demanded unexpectedly is a good security practice. **Hopefully, you also verified that you were looking at a genuine Facebook login page before re-entering your credentials.** – CBHacking Sep 29 '18 at 00:29

5 Answers5

144

Facebook reported a data leak today and forced a large number of accounts to log off as a precaution. Source: NY Times and Facebook.

That NYT article says "The company forced more than 90 million users to log out early Friday, a common safety measure taken when accounts have been compromised."

Additional article from The Hacker News - "unknown hacker or a group of hackers exploited a zero-day vulnerability in its social media platform that allowed them to steal secret access tokens for more than 50 million accounts" and "Facebook has already reset access tokens for nearly 50 million affected Facebook accounts and an additional 40 million accounts, as a precaution"

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Teun Vink
  • 6,788
  • 2
  • 27
  • 35
  • 6
    I was affected just as OP was. But it's rather inconvenient that they revoked all tokens AND removed information from _When you're logged in_ so we can't see if anyone accessed our data... – Thibault D. Oct 01 '18 at 07:53
  • 8
    @ThibaultD. that might just be very convenient for them. – AncientSwordRage Oct 02 '18 at 10:04
13

Are there any chances that someone was successfully able to get into my account? If yes, then how could they bypass the two-factor authentication?

If your account had 2fa, it seems unlikely that an attacker could use this exploit to get into it. But many Facebook users don't use 2-factor authentication.

Is that incident normal or I should take security actions?

Action has already been taken for you. Any old token you had is no longer valid, not for you and not for an attacker either. That's why you suddenly were unable to access Facebook without re-logging in again. The same thing is true of anyone who might have wanted to exploit a token which let them spoof as you - they too would have to re-authenticate. None of Facebook's statements suggest that they're able to authenticate as you as the result of this particular exploit or vulnerability. They also don't totally make it clear that Facebook did more than just reset tokens - if that were all that they did, all the attackers would have to do would be to start collecting tokens again. I assume that Facebook patched the vulnerability at the same time so that stolen tokens can't be abused again in the future.

Beanluc
  • 305
  • 1
  • 6
  • 1
    Regarding the attackers collecting tokens again, Facebook has disabled the feature ("View as") which caused the leak. Source: [*'the company \[Facebook\] suspended the "View As" feature while it reviews its security.'*](https://www.cnbc.com/2018/09/28/facebook-says-it-has-discovered-security-issue-affecting-nearly-50-million-accounts-investigation-in-early-stages.html) – wjandrea Sep 29 '18 at 21:58
  • 4
    [The same article](https://www.cnbc.com/2018/09/28/facebook-says-it-has-discovered-security-issue-affecting-nearly-50-million-accounts-investigation-in-early-stages.html) also says *"This vulnerability, which consisted of three separate bugs, also allowed the hackers to get access tokens — digital keys which let people stay logged into the service without having to re-enter their password — which could be used to control other people's accounts."* which seems to contradict what you said. – wjandrea Sep 29 '18 at 22:01
  • 1
    This answer is incorrect. Mark Zuckerberg himself [posted](https://m.facebook.com/story.php?story_fbid=10105274505136221&id=4) a statement saying, "*we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to **log into** about 50 million people's accounts*". He also states that the issue was patched and the route used to exploit the vulnerability ("View As") has been temporarily disabled while they review it. – Herohtar Oct 01 '18 at 17:23
  • 1
    @Herohtar - Zuckerberg's statement is an attempt to explain stolen session cookies in a way that is immediately clear to the layman. It's very common for such statements to be obviously incorrect to those who are already well-versed in the topic. In this case, it is the answer which is correct and Zuck's statement which is technically incorrect (but close enough, and simplified enough, to be useful to the non-specialist public). – Dave Sherohman Oct 03 '18 at 07:41
  • @DaveSherohman No, the answer is definitely wrong; I quoted Zuckerberg as being most authoritative, but there are multiple other articles by tech sites that actually talked with people from the Facebook team and they all say it allowed logins. Also, it was authentication tokens that were stolen, not session cookies, and those are exactly what allow logins (though session cookies can too). Finally, they specifically stated that it allowed access to accounts that had used Facebook login -- Instagram, Twitter, etc. Those accounts wouldn't be affected at all if the stolen info didn't allow logins. – Herohtar Oct 03 '18 at 14:26
  • I updated the answer to reflect Facebook's statements about severity. – Beanluc Oct 03 '18 at 19:58
3

This question is a great opportunity to point out that FB badly botched the handling of this. Being unexpectedly logged out and asked to login again looks just like phishing and it should be treated as such by users.

After invalidating session tokens, Facebook should have made the invalid ones redirect not to the main login page, but to a page explaining the breach and asking the user to click logout, then manually type facebook.com in their browser location bar and login again.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34
  • 24
    50 million people trying to type "facebook.com" is a probably a wet dream for typosquatters. – Eric Duminil Sep 29 '18 at 10:00
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/83914/discussion-on-answer-by-r-logged-out-of-facebook-on-all-devices-on-a-sudden-s). – Rory Alsop Oct 01 '18 at 18:24
1

This was a precautionary measure, instigated by Facebook.

It reminds us of a very important point.

Facebook is a noticeboard. Don't put stuff on a noticeboard that you don't want people to see.

Remember that, and a lot of the 'security' worries go away. Not all of them, but a lot of them.

Laurence
  • 145
  • 3
  • 5
    Privacy is far from the only issue involved in security. I don't want anyone to impersonate me regardless of what data they can access, for example. – Matthew Read Oct 01 '18 at 15:26
  • Futhermore, people use facebook to log into a variety of other sites... – RandomUs1r Oct 01 '18 at 18:51
  • 2
    It's probably advisable not to use a noticeboard as a password manager either. – kloddant Oct 01 '18 at 20:49
  • How does talking to multiple people individually and privately compare to posting things on a noticeboard? Facebook is more than just posting stuff on your public wall. – ESR Oct 02 '18 at 05:44
-1

Are there any chances that someone was successfully able to get into my account? If yes, then how could they bypass the two-factor authentication?

Yes. They exploited a bug in Facebook's code. What they were able to see – nobody knows. We only know what Facebook reported, but do you trust this company to disclose all information?

Is that incident normal or I should take security actions?

You should consider deleting your account from sites that do not secure your data well enough. You'll have to weigh the benefits of being on this site versus the risk of another breach and the sensitivity of the data you send this company and everything they can guess from that. This might include your sexual orientation, your partners, affairs, financial situation, private chat messages...

knallfrosch
  • 857
  • 5
  • 6