Facebook on Friday said a breach affected 50 million people on the social network.
The vulnerability stemmed from Facebook’s “View As” feature, which lets people see what their profiles look like to other people. Attackers exploited code associated with the feature that allowed them to steal “access tokens” that could be used to take over people’s accounts.
While access tokens aren’t your password, they allow people to log into accounts without needing it. As a precautionary measure, Facebook logged about 90 million people out of their accounts, the company said.
The social network said it discovered the attack earlier this week and informed law enforcement. The company said the investigation is in the early stages and Facebook does not yet know who was behind the attacks.
“We face constant attacks from people who want to take over accounts or steal information around the world,” CEO Mark Zuckerberg said in a Facebook post. “While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
The news comes as Facebook has been under intense scrutiny for its ability to keep people’s data safe. The company is still reeling from its Cambridge Analytica scandal in March, in which a UK-based digital consultancy harvested the personal information of 87 million Facebook users.
The vulnerability disclosed on Friday came from a change issued in July 2017, when Facebook adjusted how people could upload videos. Facebook is still investigating the attack, and does not know how much information was stolen or who is behind the hack. Because it was access tokens stolen and not passwords, Facebook said that affected users don’t need to change their security settings.
Access tokens are a set of code that are granted to a user after logging in for the first time. They’re often used across websites so that you don’t have to log back in every time you go to a page. Facebook uses them for logins, and allows for secure access without needing a password.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” Guy Rosen, Facebook vice president of product management, said in a blog post. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
This is a developing story…
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.
Special Reports: Techhnews’s in-depth features in one place.