Accounts of 50 million users affected due to security breach: Facebook
Washington, Sep 28: The social media company has revealed hackers accessed the site by exploiting a vulnerability in Facebook's code. The monumental blunder was revealed on Friday, three days after the attack actually took place.
The company said they do not know who is behind the attacks. More than 90 million users will now have to log back into their accounts. The site has temporarily turned off its "view as" feature while they conduct a security review.
"It's clear that attackers exploited a vulnerability in Facebook's code," vice president of product management Guy Rosen said in a blog post. "We've fixed the vulnerability and informed law enforcement."
Facebook chief executive Mark Zuckerberg said engineers discovered the breach on Tuesday, and patched it on Thursday night. "We don't know if any accounts were actually misused," Zuckerberg said.
"This is a serious issue." As a precaution, Facebook is temporarily taking down the "view as" feature -- described as a privacy tool to let user see how their own profiles would look to other people.
"We face constant attacks from people who want to take over accounts or steal information around the world," Zuckerberg said on his Facebook page. "While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place."
Facebook said it took an additional "precautionary step" of resetting access tokens for another 40 million accounts where the vulnerable feature was used.
As a precaution, Facebook is now logging around 90 million people out of their accounts. You'll have to log back in to Facebook as a result - that includes any apps that you might log into with Facebook, like Spotify.
What might have been accessed?
However, the lingering question is what data may have been accessed in the breach. In theory, the worst thing that an attacker could find would be anything that you yourself can view on your Facebook profile, which includes names, dates of birth, family members, and likely years of photos. That is enough for a phishing attack on people's other accounts, like banks or credit cards, but it does mean that no banking or sign-in information should have been at risk. Facebook also says there is no need to change your password.
The breach is the latest privacy embarrassment for Facebook, wich earlier this year acknowledged that tens of millions of users had personal data hijacked by a political firm working for Donald Trump in 2016.