A security breach on Facebook compromised nearly 50 million users, gave hackers the ability to take over users’ accounts, said the social media company in a blog post yesterday.
Facebook engineers discovered the security breach on Tuesday, 25 September.
Attackers exploited a vulnerability in Facebook’s code that impacted the “View As” feature*. This allowed them to steal Facebook access tokens** which they could then use to take over people’s accounts.
*View As is a feature that lets people see what their own profile looks like to someone else.
**Access tokens are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.
Chief Executive Officer and Founder Mark Zuckerberg said, “we are taking precautionary measures for those who might have been affected.”
Strengthening Security Measures
Measures are underway to address the issue and prevent it from recurring, said Mark Zuckerberg, adding that the company has already taken some steps to address this issue:
1. Patched the security vulnerability to prevent this attacker or any other from stealing additional access tokens.
2. Invalidated the access tokens for the 50 million affected people, causing them to be logged out. These people will have to log back in to reaccess their accounts.
3. Notified 50 million users in a message on top of their News Feed about what happened when they log back in.
2. Temporarily disabled the “View As” feature with the security vulnerability until investigations are complete.
3. Logged out to everyone who used the “View As” feature since the vulnerability was introduced. This will require another 40 million people or more to log back into their accounts.
Facebook said that they don’t have any evidence that the other 40 million who used the “View As” feature have been compromised.