Facebook has once again suffered a major user data breach which left the accounts of 50 million users vulnerable until it was fixed.
In a post to the Facebook blog titled “Security Update,” it was revealed by Guy Rosen, Facebook’s Vice President of Product Management, that the company had once again fallen victim to a major user data breach. Rosen revealed that on the afternoon of September 25, company engineers noticed a security issue that affected approximately 50 million Facebook user’s accounts.
The security bug reportedly related to a vulnerability in Facebook’s “view as” feature which allowed users to see what their own Facebook profile would look like to someone else. This bug allowed hackers to steal the security tokens of other users accounts and use these to then access that user’s account. These security tokens are like digital keys which keep users logged into Facebook so they don’t have to re-login every time they visit the website.
Rosen stated that Facebook has fixed the vulnerability, informed law enforcement and temporarily disabled the “view as” function. Rosen stated:
We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Currently, it appears that Facebook knows very little about the possible damage caused by the error with Rosen stating:
Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.
People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the “Security and Login” section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.
The full blog post can be read here.