Facebook announced this afternoon that more than 50 million of its users were affected by a security breach that had been discovered by its engineers on Tuesday. However, the company has already fixed the malfunction that led to the breach and informed law enforcement. In addition, all affected accounts as well as 40 million others have reset “as a precautionary step”. These users were given prompts to re-log in today with no required password change.
Facebook wouldn’t confirm where in the world these 50 million users were, but it did inform data regulators in Ireland, where Facebook’s European subsidiary is based.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.”, said Guy Rosen, Facebook’s VP of Product Management.
Attackers were able to capitalize on a vulnerability in Facebook’s “View As” feature. Facebook’s “View As” function allows users to see what their profile looks like to other viewers. It exists so that viewers are aware of the information that can be viewed by Facebook’s clear classifications of users: Friends, friends of friends, and the public.
Multiple bugs on this feature allowed malicious hackers to retrieve access tokens which they could then use to take control of other people’s accounts.
According to Mr. Rosen, “Access tokens are the equivalent of digital keys that keep people logged into Facebook so they don’t need to re-enter their password every time they use the app.”
The timing of this breach does not bode well for Facebook in the wake of a national scandal wherein its ability to protect private user data has been repeatedly questioned. Facebook has already seen a 3% drop in its stock price today.
Mark Zuckerberg said in a conference call today that the firm took this issue very seriously in the face of what he said were “constant attacks by bad actors”.