At least 50 million Facebook accounts may have been compromised after attackers found a vulnerability with one of the site’s features.
Guy Rosen, Facebook’s Vice President of Product Management, said the company’s engineering team found the security issue Tuesday.
Attackers apparently exploited a vulnerability in code that impacted “View As,” the feature that allows users to view their profile as someone else. Attackers could use those access tokens to take over people’s accounts. Those tokens allow users to log in without having to re-enter their passwords every time they use Facebook.
Rosen said Facebook has fixed this vulnerability and “informed law enforcement.”
The company has reset the access tokens of those 50 million users, and as a precaution, reset another 40 million users’ access tokens.
Facebook will be temporarily turning off the “View As” feature.
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” Rosen said.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens,” he added.
“People’s privacy and security is incredibly important, and we’re sorry this happened.”
The Sept. 28 security update can be found here.