Reply to post: Re: Has anyone been informed by FB?

Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code

jmch Silver badge
Boffin

Re: Has anyone been informed by FB?

"I'm pleased that I use a unique password for the site"

As I understood the information that has been made public*, the bug allowed users to generate security tokens as other users. I guess that since many people keep a FB page/tab open all the time and/or FB mobile app is 'always-om', these tokens don't expire (or at least not for a long time) and so hackers can reuse these tokens to act as the spoofed users.... BUT hackers did not actually get any passwords. That's why users were not asked to change passwords... a simple logoff/logon would invalidate the previous security token and create a new one.

*of course there could be other things NOT made public

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019