Google is hosting tutorials on how to hijack Facebook accounts using a similar method to the hackers who had gained access to the personal data of 50 million users.
The step by step video guides could still be accessed on YouTube, Google’s popular video streaming website, hours after Facebook revealed the breach.
Experts warned that any number of other hackers, including foreign intelligence agencies, could have accessed people’s accounts continually since July 2017.
Guy Rosen, Facebook’s vice president of product management, told reporters that 50 million users – including Facebook’s chief executive Mark Zuckerberg and its chief operating officer Sheryl Sandberg – were confirmed victims of the attack, but that an additional 40 million users might have been exposed to similar attacks.
On YouTube, the tutorials – some of which have been deleted by Google – explain how to hack into Facebook profiles by stealing “access tokens”, digital keys which allow users to log in without entering their passwords every time. They have already been watched several thousands of times.
An attacker who has a user’s access token can use their account as if they are that user, from posting in their name to reading through their messages to looking through an archive of what they have “liked” and shared.
Nathaniel Gleicher, Facebook’s head of cyber security policy, told the Telegraph he was “aware of certain videos describing different elements of the attack” and that the company was “looking into these to make sure people’s accounts are protected”.
Facebook executives held two crisis press conferences on Friday after revealing that it had called in the FBI when it realized it had fallen victim to a “major” attack.
It admitted that hackers could also use the tokens to access third party apps and websites which allow users to log in via Facebook. Instagram accounts linked to Facebook accounts were also affected.
The hack was discovered when Facebook employees noticed a large spike in traffic on September 16, possibly representing a single attack by one or more adversaries.
But Beau Woods, a cybersecurity fellow at the Atlantic Council, said it was likely the vulnerability had already been identified by other attackers in the fourteen months since it was introduced.
“I would say that the 50 million is maybe the tip of the iceberg,” he told the Telegraph. “It’s not uncommon to have multiple adversaries over time, varying in sophistication, and it’s just the clumsiest one that alerts the palace guards.”
Knowledge of security loopholes, he said, very often spreads – either accidentally “over beers”, deliberately sold or simply through multiple hackers independently discovering the same method.
This exploit could have been used by organised criminals or state intelligence agencies to hack specific accounts, such as those belonging to politicians or business chiefs, long before less subtle attacks were spotted by Facebook.
Alternatively, he said, the traffic spike could have been generated by a virus or even by a smaller attack which accidentally rampaged out of control.
Others have pointed to “bedroom hackers” who may have been hoping to claim Facebook’s bug bounty – a payment made to reward those who discover flaws and report them through official channels.
Days before Facebook went public with the hack, a Taiwanese hobbyist announced he would live stream himself hacking into and deleting Mark Zuckerberg’s account.
A spokesman from Google said that it reviews flagged content carefully and will remove videos that encourage illegal activities of the hacking of accounts or sites with “malicious intentions”.