Facebook revealed Friday an attack against its platform affecting up to 50 million users.
Security Update https://t.co/8HUo0aHIQJ
— Facebook Newsroom (@fbnewsroom) September 28, 2018
In a statement from the company, Guy Rosen, Facebook’s vice president of product management, said the issue was discovered Tuesday and involved the service’s “View As” feature.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else,” Rosen said.
The hackers were able to obtain access tokens, which allow users to remain logged in while using the company’s app, that could be used to “take over people’s accounts.”
Facebook says it has since patched the vulnerability, alerted law enforcement and “reset the access tokens of the almost 50 million accounts.”
“We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year,” Rosen added. “As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
If you’ve been logged out of your account and asked to sign back in, it’s because we’ve discovered a security issue and are taking immediate action to protect people on Facebook. Learn more https://t.co/XLcHGYFBu2
— Facebook (@facebook) September 28, 2018
Facebook’s “View As” feature has also been temporarily disabled while the company carries out a “thorough security review.”
Rosen says Facebook is not yet able to determine whether any information was accessed or the source of the attack.
“We also don’t know who’s behind these attacks or where they’re based,” Rosen continued. “We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change.”
News of the breach comes amid numerous scandals surrounding the social media company, including its policies surrounding the sharing of user data with third parties.