Facebook has said “almost 50 million” of its users were left exposed by a security flaw. The company said attackers were able to exploit a vulnerability in a feature known as “View As” to gain control of people’s accounts.
The company said attackers were able to exploit a vulnerability in a feature known as “View As” to gain control of people’s accounts.
“This is a very serious security issue, and we’re taking it very seriously,” said CEO Mark Zuckerberg said on a call with reporters.
The breach was discovered on Tuesday, Facebook said, and it has informed the police.
More than 90 million Facebook users were forced to log out of their accounts early Friday, a common safety measure taken when accounts have been compromised.
The flaw has been fixed, wrote the firm’s head of security, Guy Rosen, adding all affected accounts had been reset, as well as another 40 million “as a precautionary step”.
The firm would not say where in the world the 50 million users are, but it has informed Irish data regulators, where Facebook’s European subsidiary is based.
Users that had potentially been affected were prompted to re-log-in on Friday. However, the company said users did not have to change their passwords.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. “
He added: “People’s privacy and security is incredibly important, and we’re sorry this happened.”
Facebook’s “View As” function is a privacy feature that allows people to see what their own profile looks to other users, making it clear what information is viewable to their friends, friends of friends, or the public.
Attackers found multiple bugs in this feature that “allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts”, Mr. Rosen explained.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he added.