Facebook on Friday disclosed a security breach affecting nearly 50 million accounts.
The social network discovered the breach on Tuesday and is still investigating the issue, Guy Rosen, VP of product management, wrote in the announcement.
The hackers exploited a vulnerability in Facebook’s code impacting the “View As” feature, which lets you see what your profile looks like to the public or a specific individual. For now, Facebook is turning off the “View As” feature while it investigates the incident.
The attackers stole Facebook access tokens — aka “digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” Rosen explained. With your access token, an attacker could take over your account and use it as if they were you.
The flaw that attackers exploited stemmed from a video-uploading feature change Facebook made in July 2017, but it did not elaborate.
Facebook has patched that bug, notified law enforcement about the breach, and reset the access tokens of all impacted accounts. As a precaution, Facebook is resetting the tokens for another 40 million accounts “that have been subject to a ‘View As’ look-up in the last year.” The company said there’s no evidence those other 40 million accounts have been compromised.
In total, around 90 million people will have to log back in the next time they try to access the platform. On a call with reporters Friday, Facebook executives said no actual passwords were taken, so a password reset is not necessary. No credit card information was affected, they added.
At this point, many questions remain: “Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen wrote. “We also don’t know who’s behind these attacks or where they’re based.”