Facebook fucks up, but you don’t have to change your password.

Key takeaway from the recent Facebook hack that resulted in many users being logged out: The hackers never cracked any passwords in the hack. They only exploited a flaw in how Facebook’s access tokens were implemented. Access tokens are supposed to be created AFTER you log in successfully, and allow you to be logged in automatically every time you open Facebook (or whatever other site you might be using that has the same type of feature).

Properly-created access tokens by their very nature cannot be decrypted to discover the password used for the login that created them. An article at 9 To 5 Mac makes it clear that you do NOT have to change your password. Logging out and logging in again clears your previous access token and creates a new one, which is why Facebook simply logged people out to prevent further exploitation of their existing access tokens.

Most if not all sites that allow you to store a cookie in your browser that lets you log in automatically do essentially the same thing. Facebook’s vulnerability appears to have stemmed from multiple coding mistakes (“This attack exploited the complex interaction of multiple issues in our code”) that caused an exploitable regression IF you knew the vulnerability existed AND were able to figure out how to exploit it to obtain access tokens for other accounts.

If you feel more comfortable changing your password, certainly you should do so; but again, no passwords were cracked in this hack, and a simple logout/login is sufficient to create a new, unique access token.

One significant result of this hack is it was made crystal-clear that being lazy and using the “Login Using Facebook” feature available on many third-party sites effectively exposed all those logins, too.  I’ve never used that feature and now I certainly never will.