50 million Facebook accounts were compromised by an attack that gave hackers
the ability to take over users’ accounts, Facebook revealed on Friday.
The breach was discovered by Facebook engineers on Tuesday 25 September, the company said, and patched on Thursday. Users whose accounts were affected will be notified by Facebook. Those users will be logged out of their accounts and required to log back in.
“I’m glad we found this and fixed the vulnerability,” Mark Zuckerberg said on a conference call with reporters on Friday morning. “But it definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services face.”
The security breach comes at a time of significant strife for the social media company, which has faced mounting criticism over issues including foreign election interference, the flow of misinformation, hate speech, and data privacy.
The revelation that a political consultancy linked to the US president, Donald Trump, had obtained the personal information of tens of millions of Facebook users prompted widespread concern that the company was cavalier in its approach to privacy.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg wrote in a public apology regarding the Cambridge Analytica breach.
The breach involved “access tokens”, a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time. Possessing a token allows an attacker to take full control of an account.
According to Facebook, the attacker exploited three bugs that were introduced into the site’s “view as” feature in July 2017. “View as” allows users to see what their profile looks like to other users. The company does not yet know when the hack took place, but it said that it began an investigation after discovering unusual activity on 16 September.
In addition to the 50 million accounts whose access tokens were taken, Facebook said that it would require 40 million additional users who used the “view as” tool since July 2017 to log out of their accounts as a precaution. This will reset those users’ access tokens, protecting their accounts.
The company has notified law enforcement, the vice-president of product management, Guy Rosen, said on the conference call. Rosen said that Facebook was working with the FBI, but he did not comment on whether national security agencies were involved in the investigation.
“The investigation is early, and it’s hard to discover who is behind this,” Rosen said. “We may never know.” He did note that the scale and complexity of the hack would have required “a certain level” of expertise.
Another key area of investigation is discovering the extent to which the hackers used the access tokens. The company says it has not yet seen evidence that the hackers accessed private messages or made posts on users’ behalf, but they did attempt to access certain profile information.
Rosen did not provide any details on the location of users affected, saying only that the attack seemed “broad” and investigators had not determined whether there were particular targets. The company has notified the Irish Data Protection Commission about the breach.
News of the hack comes at the end of a week in which many of Facebook’s Silicon Valley peers testified before the US Congress about the possibility of consumer privacy regulations.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” said the US senator Mark Warner in a statement. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”
Facebook shares fell about 3% following the disclosure.