Facebook has disclosed a serious security concern that, if exploited, would have allowed hackers to access information and gain control of over 50 million accounts.
In an announcement on Friday, Facebook said its engineering team had spotted a vulnerability that was already exploited by attackers who spotted a weakness in Facebook’s code. Specifically, the “View As” feature, which lets people preview what their profile appears to someone else, was taken over by attackers to steal Facebook access tokens that could’ve been used to take control over people’s accounts.
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Nearly 50 million accounts were impacted, with all their access tokens reset. Facebook has also reset an additional 40 million accounts as a precautionary measure, altogether totaling 90 million accounts impacted out of an estimated 2.23 billion active user accounts.
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” Facebook added. “After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
The “View As” feature has predictably been disabled while Facebook initiates a forensic analysis of the breach. The company adds it will “conduct a thorough security review.”
For its part, Facebook claims it is yet to determine if any of the compromised accounts were misused. It further said it isn’t aware of the attackers’ identities or where they’re from.
People’s privacy and security is incredibly important, and we’re sorry this happened.
Image credit: LIFARS archives.