Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?
Facebook reported a data leak today and forced a large number of accounts to log off as a precaution. Source: NY Times and Facebook.
That NYT article says "The company forced more than 90 million users to log out early Friday, a common safety measure taken when accounts have been compromised."
Additional article from The Hacker News - "unknown hacker or a group of hackers exploited a zero-day vulnerability in its social media platform that allowed them to steal secret access tokens for more than 50 million accounts" and "Facebook has already reset access tokens for nearly 50 million affected Facebook accounts and an additional 40 million accounts, as a precaution"
Are there any chances that someone was successfully able to get into my account? If yes, then how could they bypass the two-factor authentication?
If your account had 2fa, it seems unlikely that an attacker could use this exploit to get into it. But many Facebook users don't use 2-factor authentication.
Is that incident normal or I should take security actions?
Action has already been taken for you. Any old token you had is no longer valid, not for you and not for an attacker either. That's why you suddenly were unable to access Facebook without re-logging in again. The same thing is true of anyone who might have wanted to exploit a token which let them spoof as you - they too would have to re-authenticate. None of Facebook's statements suggest that they're able to authenticate as you as the result of this particular exploit or vulnerability. They also don't totally make it clear that Facebook did more than just reset tokens - if that were all that they did, all the attackers would have to do would be to start collecting tokens again. I assume that Facebook patched the vulnerability at the same time so that stolen tokens can't be abused again in the future.
This question is a great opportunity to point out that FB badly botched the handling of this. Being unexpectedly logged out and asked to login again looks just like phishing and it should be treated as such by users.
After invalidating session tokens, Facebook should have made the invalid ones redirect not to the main login page, but to a page explaining the breach and asking the user to click logout, then manually type
facebook.com in their browser location bar and login again.