Facebook says the accounts of nearly 50 million users were breached, the latest in a string of security lapses that have shaken public confidence in the social media giant.
Attackers exploited a feature in Facebook’s code that allowed them to take over users’ accounts. The breach was discovered Tuesday afternoon.
The extent of the massive breach — whether Facebook users’ personal information was accessed by the attackers — is not yet known.
Facebook says it is in the early stages of its investigation. It has not identified the attackers nor does it know the origin of the attack. The Silicon Valley company notified the FBI on Wednesday and patched the vulnerability Thursday night.
“We are still in the early phase of investigating this,” Facebook CEO Mark Zuckerberg told reporters Friday. “We do not yet know if any of the accounts were actually misused.”
Zuckerberg says Facebook has invested heavily in security measures but will step up efforts to lock down Facebook users’ accounts.
“The reality here is we face constant attacks,” he said. “We need to do more to prevent this from happening in the first place.”
More than 90 million of Facebook’s users were forced to log out of their accounts Friday morning as a security measure. They will be notified why at the top of their News Feed, the Facebook CEO said.
Attackers exploited a vulnerability in Facebook’s code that affected “View As,” a feature that lets people see what their own profile looks like to someone else. The feature was built to give users move control over their privacy. Facebook says the vulnerability in “View As” was compounded by another in Facebook’s video-uploading feature introduced last year, allowing attackers to steal Facebook access tokens they could then use to take over people’s accounts.
These access tokens are like digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use Facebook. Facebook has reset the tokens of nearly 50 million accounts that were affected and, as a precaution, it has also reset the tokens for another 40 million accounts that have used “View As” in the past year.
“So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. But this, of course, may change as we learn more,” Zuckerberg said.
When these 90 million people log back into Facebook or any apps that use Facebook login, they will be notified at the top of their News Feed, Guy Rosen, vice president of product management, said.
Facebook says there’s no need for users to reset their passwords.
The breach marks the latest privacy mishap for Facebook, which has been hammered for the Cambridge Analytica scandal and the unchecked spread of Russian propaganda during and after the 2016 presidential election. Confidence in the giant social network used by more than two billion people around the world has been shaken by the troubling revelations. Another two billion people use Facebook messaging app WhatsApp and Facebook-owned Instagram.
“This is clearly a breach of trust and we take this very seriously. We are working with lawmakers and regulators to let them know what happened,” Rosen told reporters.
Even before Friday’s disclosure, Facebook was ensnared in multiple investigations including a Securities and Exchange Commission inquiry into the company’s statements about the leak of millions of people’s data to Cambridge Analytica.
Such a massive breach is likely to trigger more calls for oversight of Facebook and other tech giants.
Sen. Mark Warner, the vice chairman of the Senate Intelligence Committee, called for a swift and public investigation into the breach.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Warner said in a statement. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”
Forrester analyst Jeff Pollard says the Facebook breach illustrates the perils of handing so much sensitive data over to a single company. A critical part of warding off future attacks will be Facebook limiting access to users’ data, he said.
“The fact that a breach at one company can impact tens of millions of users is troubling. Attackers go where the data is, and that has made Facebook an obvious target,” he said in a statement. “The main concern here is that one feature of the platform allowed attackers to harvest the data of tens of millions of users.”