Facebook has said at least 50 million user accounts may be at risk after hackers exploited a security vulnerability on the site.
The company said in a blog post Friday that it discovered the bug earlier in the week. The bug is part of the site’s “View As” feature that lets a user see their profile as someone else. Facebook has switched off the “View As” feature in the meantime while it investigates the bug further.
The bug allowed hackers to obtain account access tokens, which are used to keep users logged in when they enter their username and password. Stolen tokens can allow hackers to break into accounts.
Facebook said that it has reset access tokens of all users affected, as well as an additional 40 million accounts out of an abundance of caution. That means some 90 million users will have been logged out of their account — either on their phone or computer — in the past day.
Facebook also said that users will be notified of the security incident through a notification in their News Feed once they log back in.
“This is a breach of trust and we take this very seriously.”
— Facebook’s Guy Rosen
“We have yet to determine whether these accounts were misused or any information accessed,” said Guy Rosen, Facebook’s vice president of product management. “We also don’t know who’s behind these attacks or where they’re based.”
Rosen said that Facebook spotted the attack because the hackers were automating their attack on a “large scale.”
Chief executive Mark Zuckerberg said on a call with reporters that the company doesn’t know if any accounts have been improperly accessed, though he said that the attackers tried to access account information by querying its developer APIs, which Facebook locked down last night.
“So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts,” Zuckerberg told reporters. “But this, of course, may change as we learn more. The attackers used our APIs to access profile information fields like name, gender, hometown, etc. But we do not yet know if any private information was accessed that way,” he said.
The vulnerability, which was a result of three distinct bugs, was introduced in July 2017, when Facebook created a new video upload functionality on the service. On September 16, 2018, Facebook discovered unusual activity and launched an investigation that same week. On Tuesday, September 25, it uncovered the attack. It then notified law enforcement on Thursday, September 27, in the afternoon.
On Thursday evening, it fixed the vulnerability and began resetting the access tokens of people to protect the security of their accounts.
Facebook said the FBI is now investigating. Because users in Europe are also affected, the company said it has informed data protection authorities in Ireland — where the company’s European headquarters are located.
The Irish Data Protection Commission has asked Facebook to clarify the breach “urgently.” If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.