Unknown attackers accessed 50 million Facebook accounts this month, and executives said Friday that any potentially compromised accounts had been logged out of the service as an investigation continued.
In a blog post, Facebook executive Guy Rosen said that the social network’s “view as” feature, which lets users see their profile page as a specific user would, allowed access to that other account’s “token,” or identification. The hackers found that a video uploader coughed up a friend’s token within a “Happy Birthday” option that was not supposed to be active in “view as” mode, and then would use the trick against more friends of the accounts they accessed.
“These access tokens enabled someone to use the account as if they were … the account holder themselves,” Rosen said in the second of two conference calls Facebook held with the media about the breach on Friday. “This does mean they could have accessed other third-party apps that were using Facebook Login.”
Facebook actually logged off 90 million users Friday, executives said: The 50 million affected accounts and another 40 million that had used the ”view as” feature since a July 2017 update caused the security hole. Users who were logged out were promised notifications with more information at the top of their pages when they regained control of their account.
On the morning conference call, Facebook assured the media that credit-card numbers could not have been accessed, but repeatedly stressed that it was early in the investigation when questioned about other parts of a user’s accounts, such as private messages. Facebook began investigating on Sept. 16, after noticing unusual account activity, and discovered the vulnerability on Tuesday. By Thursday evening, they had patched it and begun forcing users out to require a password for entry.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen wrote in the blog post. “We also don’t know who’s behind these attacks or where they’re based.”
Facebook said the vulnerability is fixed, law enforcement has been notified and the breach has been disclosed to the Irish Data Protection Commission to satisfy a GDPR requirement to notify within 72 hours. The company will turn off the “view as” feature temporarily.
“While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place,” Chief Executive Mark Zuckerberg said in a post on his Facebook account, which was reportedly one of the 50 million affected.
Facebook’s stock FB, -2.59% took a hit directly after the breach was announced, and closed down 2.6% on the day. Shares have declined 6.8% so far this year amid other data scares, such as the Cambridge Analytica scandal, and the increasing costs Facebook is facing to confront its issues. The S&P 500 index SPX, +0.00% has gained 9% in 2018.
The breach is likely to increase pressure on Facebook, which has already faced blowback from politicians for earlier privacy issues. U.S. Sen. Mark Warner, a Virginia Democrat, called the breach “deeply concerning” in an email statement Friday.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax EFX, +0.14% are able to accumulate so much personal data about individual Americans without adequate security measures,” he wrote. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”