Facebook security breach allowed hackers to control the accounts of up to 50 million users
Facebook discovered a security issue that allowed hackers to access information that could have let them take over around 50 million accounts, the company announced on Friday.
The company said in a blog post its engineering team found that attackers identified a weakness in Facebook’s code regarding its “View As” feature on Tuesday. Facebook became aware of a potential attack after it noticed a spike in user activity on Sept. 16.
“This is a very serious security issue, and we’re taking it very seriously,” said CEO Mark Zuckerberg said on a call with reporters.
“View As” lets users see what their profile looks like to other users on the platform. This vulnerability, which consisted of three separate bugs, also allowed the hackers to get access tokens — digital keys which let people stay logged into the service without having to re-enter their password — which could be used to control other people’s accounts.
Almost 50 million accounts had their access tokens taken, and Facebook has reset those tokens. The company also reset tokens for an additional 40 million accounts who used the “View As” feature in the last year as a precautionary measure, for a total of 90 million accounts or about 4 percent of total users given the 2.23 billion monthly active users as of June 30.
The reset will require these users to re-enter their password when they return to Facebook or access an app that uses Facebook Login. They will also receive a notification at the top of their News Feed explaining what happened.
In addition, the company suspended the “View As” feature while it reviews its security, fixed the issue on Thursday night and has notified law enforcement including the FBI and the Irish Data Protection Commission in order to any address General Data Protection Regulation (GDPR) issues.
Facebook said it just begun its investigation and has not determined if any information was misused, but the initial investigation has not shown any information was abused. The hackers did query Facebook’s API system, which lets applications communicate with the platform, to get more user information. The company is not sure if the hackers used that data, nor does it know who orchestrated the hack or where the person or persons are based.
The company said there is no need to change passwords, and if additional accounts are affected, it will immediately reset that user’s access token. Between 10,000 and 20,000 employees are working to improve security at Facebook, the company stressed.
“Security is an arms race, and we’re continuing to improve our defenses,” Zuckerberg said. “This just underscores there are constant attacks from people who are trying to underscore accounts in our community.”
Facebook, which was already trading down about 1.5 percent before the announcement, extended losses to as much as 3.5 percent after the disclosure.
Zuckerberg addressed the issue in a Facebook post on his account. Read it below: