Facebook has said at least 50 million user accounts may be at risk after hackers exploited a security vulnerability on the site.
The company said in a blog post Friday that it discovered the bug earlier in the week. The bug is part of the site’s “View As” feature that lets a user see their profile as someone else. Facebook has switched off the “View As” feature in the meantime while it investigates the bug further.
The bug allowed hackers to obtain account access tokens, which are used to keep users logged in when they enter their username and password. Stolen tokens can allow hackers to break into accounts.
Facebook said that it has reset access tokens of all users affected, as well as an additional 40 million accounts out of an abundance of caution. That means some 90 million users will have been logged out of their account — either on their phone or computer — in the past day.
Facebook also said that users will be notified of the security incident through a notification in their News Feed once they log back in.
“This is a breach of trust and we take this very seriously.”
— Facebook’s Guy Rosen
“We have yet to determine whether these accounts were misused or any information accessed,” said Guy Rosen, Facebook’s vice president of product management. “We also don’t know who’s behind these attacks or where they’re based.”
Rosen said that Facebook spotted the attack because the hackers were automating their attack on a “large scale.”
Chief executive Mark Zuckerberg said on a call with reporters that the company doesn’t know if any accounts have been improperly accessed, though he said that the attackers tried to access account information by querying its developer APIs, which Facebook locked down last night.
“So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts,” Zuckerberg told reporters. “But this, of course, may change as we learn more. The attackers used our APIs to access profile information fields like name, gender, hometown, etc. But we do not yet know if any private information was accessed that way,” he said.
The vulnerability, which was a result of three distinct bugs, was introduced in July 2017, when Facebook created a new video upload functionality on the service. On September 16, 2018, Facebook discovered unusual activity and launched an investigation that same week. On Tuesday, September 25, it uncovered the attack. It then notified law enforcement on Thursday, September 27, in the afternoon.
On Thursday evening, it fixed the vulnerability and began resetting the access tokens of people to protect the security of their accounts.
Facebook said the FBI is now investigating. Because users in Europe are also affected, the company said it has informed data protection authorities in Ireland — where the company’s European headquarters are located.
The Irish Data Protection Commission has asked Facebook to clarify the breach “urgently.” If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.
Federal Trade Commission’s Rohit Chopra also tweeted, suggesting the government agency may investigate.
“If we find more affected accounts, we will immediately reset their access tokens,” said Rosen. “This is a breach of trust and we take this very seriously.”
“I’m glad that we that we found this and that we were able to fix the vulnerability and secure accounts,” Zuckerberg told reporters. “But it definitely is an issue that this happened in the first place. And I think this underscores the attacks that our community and our service face, and the need to keep on investing heavily in security and being more proactive about protecting our community. And we’re certainly committed to doing that,” he added.
The attacks on Facebook have forced the company to rethink its overall development process. It has gone from a “move fast and break things” mentality to one of a slower and more cautious approach.
Facebook has been without a chief security officer since the departure of Alex Stamos in August. The social network retired the position after Stamos left. But the company said that this year it’s growing the number of people working on safety and security from 10,000 to 20,000.
Sen. Mark Warner, vice-chairman of the Senate Intelligence Committee, warned in a statement of the “dangers” posed by companies that are “able to accumulate so much personal data about individual Americans without adequate security measures.”
The social network has 2.2 billion monthly active users as of its second quarter earnings.