An attack on Facebook discovered earlier this week exposed information on nearly 50 million of the social network’s users, the company announced Friday.
The attackers exploited a feature called “View as” that lets users see their Facebook page the way someone else would. They could then potentially use it to take over the accounts and use them exactly as if they were the account holders.
Facebook said it does not know who the attackers were or where they were based. It also said it has already fixed the issue and informed the FBI and other law enforcement. It has also informed the Irish Data Protection Authority about the breach, a step required by Europe’s GDPR regulations.
More than 90 million users were forced to log out of their accounts on Friday for security reasons. Users do not need to take any additional security precautions or reset their passwords, said Facebook. All logged out users will receive a notification about the issue from Facebook.
The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It has turned off the “View As” feature that the attackers exploited while it investigates.
Facebook says the vulnerability is the result of three distinct bugs, and originally appeared in July 2017 when the company made a change to a video uploading feature. The company first detected some unusual activity — a spike in user access to the site — on September 16, 2018. It launched an investigation and uncovered this attack on Tuesday of this week. On Wednesday it notified law enforcement and on Thursday evening it fixed the vulnerability and began resetting login tokens.
The attackers stole Facebook “access tokens” which keep a person logged into their Facebook account over long periods of time so they don’t have to keep signing in. Facebook reset all 50 million, as well as tokens for an additional 40 million people who had used the feature in the past year as a “precautionary step.”
“The reality here is we face constant attacks from people who want to take over accounts or steal information…. we need to do more to prevent this from happening in the first place,” CEO Mark Zuckerberg said during a call with reporters shortly after the announcement.
The announcement is the latest issue for the company, which has struggled with security breaches, privacy issues and misinformation in recent years. Facebook says it is investing heavily in security going forward, and increasing the number of people working on security from 10,000 to 20,000.
“Security is an arms race and we’re continuing to improve our defenses,” said Zuckerberg.