Facebook Breach May Have Allowed Attackers to Take Over 50 Million Accounts

Mark Zuckerberg Credit: Anthony Quintano / Flickr
Text Size
- +

Toggle Dark Mode

Facebook on Friday disclosed a new data breach directly affecting 50 million users that had exposed personal information of impacted accounts.

The Menlo Park company first discovered the “security issue” on Tuesday, Sept. 25, it wrote in a security update. Facebook said attackers exploited code impacting the site’s “View As” feature, which lets someone see what their profile looks like to another user.

This reportedly allowed users to steal “access tokens,” which could have been used to login and take over a Facebook user’s account.

“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

Have I Been Affected?

In the wake of its discovery, the company said it fixed the vulnerability and informed law enforcement before taking additional measures.

Those additional measures include logging nearly 90 million users out of Facebook to “protect their security.” That’s the 50 million accounts that were directly impacted by the exploit, along with another 40 million accounts that were subjected to a “View As look-up” in the past year, Facebook said.

If you’ve been logged out of Facebook on your various devices or apps, then your account is one of those 90 million. The firm says that impacted users will get a News Feed notification explaining the situation.

The company notes that it will disable access tokens any more potentially impacted accounts it discovers.

While Facebook admitted that their investigation is still “in its early stages,” the firm’s VP of product management said in a press call Friday that it “did see this attack being used at a fairly large scale.”

Presently, the social media juggernaut said it’s unclear whether compromised accounts were missed or had any sensitive data stolen form them. Facebook added that there’s no word on who is behind the attacks.

Even before Friday’s disclosure, Facebook has been embroiled in multiple federal investigations and is the subject of a Securities and Exchange Commission inquiry, The New York Times notes.

What Do I Do Now?

If you’re concerned about your own account or data, you can visit Facebook’s Security and Login section. It will list every device that’s logged into your account and give you the option of logging out of all of them with a click.

Social Sharing