Facebook has announced that a previously unreported attack on its network exposed the personal data of nearly 50 million users. The company said that it discovered the breach earlier this week. Attackers used a flaw in Facebook’s code to take over user attacks, the company said.
The social network says that the vulnerability has been fixed and law enforcement has been notified. Some 90 million users have been forced to log out of their accounts as of Friday morning, and when they log back in, Facebook will notify them about the breach. That move was a precautionary measure, the company said.
The flaw was in Facebook’s “View As” tool, a privacy feature that lets Facebook users view their own profile as if they were someone else. It can be used to verify that no more information is exposed to an individual than you want, but in this case, it seems as if a flaw in Facebook’s security let attackers do much more:
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
The forced logouts will ensure that no ongoing access to an account is possible with the stolen security token. Facebook has forced the 50 million accounts it knows were affected to log out, as well as 40 million more that have used the “View As” feature in the last year.
The lingering question is what data may have been accessed in the breach. In theory, the worst thing that an attacker could find would be anything that you yourself can view on your Facebook profile, which includes names, dates of birth, family members, and likely years of photos. That is enough for a phishing attack on people’s other accounts, like banks or credit cards, but it does mean that no banking or sign-in information should have been at risk. Facebook also says there is no need to change your password.