Facebook says at least 50 million users affected by account takeover bug | Social Media
The company said in a blog post Friday that it discovered the bug earlier in the week. The bug is part of the site’s “View As” feature that lets a user see their profile as someone else. Facebook has switched off the “View As” feature in the meantime while it investigates the bug further.
Facebook said that it’s reset access tokens of all users affected, as well as an additional 40 million accounts out of an abundance of caution. That means some 90 million users will have been logged out of their account — either on their phone or computer — in the past day.
Facebook also said that users will be notified of the security incident once they log back in through a notification in their News Feed.
“We have yet to determine whether these accounts were misused or any information accessed,” said Guy Rosen, Facebook’s vice president of product management. “We also don’t know who’s behind these attacks or where they’re based.”
Rosen said that Facebook spotted the attack because the hackers were automating their attack on a “large scale.”
Chief executive Mark Zuckerberg said in a call with reporters that the company doesn’t know if any accounts have been improperly accessed, though he said that the attackers tried to access account information by querying its developer APIs, which Facebook locked down last night.
Facebook has contacted law enforcement, the blog post said. Specifically, the FBI is investigating, the company clarified on the call. Because users in Europe are also affected, the company said it has informed data protection authorities in Ireland — where the company’s European headquarters are located.
“If we find more affected accounts, we will immediately reset their access tokens,” said Rosen. “This is a breach of trust and we take this very seriously.”
The social network has 2.2 billion monthly active users as of its second quarter earnings.
Facebook has been without a chief security officer since the departure of Alex Stamos in August. The social network retired the position after Stamos left.