Nearly 50m Facebook accounts were compromised by an attack that gave hackers the ability to take over users’ accounts, Facebook revealed on Friday.
The breach was discovered by Facebook engineers on Tuesday 25 September, the company said, and patched on Thursday. Users whose accounts were affected will be notified by Facebook. Those users will be logged out of their accounts and required to log back in.
“I’m glad we found this and fixed the vulnerability,” Mark Zuckerberg said on a conference call with reporters on Friday morning. “But it definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services face.”
Who has been affected?
The firm would not say where in the world the 50 million users are, but it has informed Irish data regulators, where Facebook’s European subsidiary is based.
The company said the users prompted to log-in again did not have to change their passwords.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. “
He added: “People’s privacy and security is incredibly important, and we’re sorry this happened.”
The company has confirmed that Facebook founder Mark Zuckerberg and its chief operating officer Sheryl Sandberg were among the 50 million accounts affected.
What is ‘View As’?
Facebook’s “View As” function is a privacy feature that allows people to see what their own profile looks to other users, making it clear what information is viewable to their friends, friends of friends, or the public.
Attackers found multiple bugs in this feature that “allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts”, Mr Rosen explained.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he added.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” said the US senator Mark Warner in a statement. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”
Facebook shares fell about 3% following the disclosure.
Articles about the data breach by the Guardian and the Associated Press were temporarily flagged as spam on Facebook, preventing users from sharing news of the attack on their profiles. The company attributed the error to its “automated systems” and apologized, but did not provide further explanation.