Facebook is understood to have informed the government that the recent breach, which impacted around 50 million accounts globally, did not compromise accounts of its Indian users. The social media platform informed the Indian Computer Emergency Response Team (Cert-In), which is the nodal agency for responding to such computer security incidents.
“Facebook has replied. They said the company is in the process of evaluating the extent of breach in the affected countries. They also said accounts have been attacked or targeted, but no account has been compromised in India. They are trying to quantify the extent, but so far they said that no misuse has been reported,” a senior government official said.
On September 28, Facebook in a security update informed about the data breach, which impacted around 50 million user accounts. The breach was discovered on September 25.
A Cert-In advisory said attackers exploited a vulnerability in Facebook’s ‘View As’ feature to access users accounts. They exploited Facebook’s API’s to access personal details of users. This vulnerability allowed attackers to steal users’ access tokens, which can be used to access the account and other third party websites that the user had logged in using his or her Facebook credentials. Many Facebook users use their account to log into third party apps like Zomato, Swiggy, Myntra, etc.
In the September 28 security update, Facebook’s vice-president for product management Guy Rosen said, “We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year. As a result, around 90 million people will now have to log back into Facebook, or any of their apps that use Facebook log in”. After they have logged back in, people will get a notification at the top of their news feed explaining what happened, Rosen said.