Hackers exploited a vulnerability in “View As,” a feature that lets people see what their personal profile looks like to others. They were thus able to steal access tokens, which gave them the ability to hijack accounts.
The problem was discovered on Tuesday and has already been fixed. In a statement, Facebook noted that it’s already informed law enforcement. The company has reset the access tokens for people known to have been affected, as well as another 40 million accounts that have been subjected to “View As” lookups in the past year.
“We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year,” Facebook said in a statement. “As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
“View As” is being temporarily disabled while the company conducts a security analysis. The company already knows, however, that the security hole originated with a July 2017 change to video uploads.
It’s not yet known if the hacked accounts were misused, or who the perpetrators were.
“We face constant attacks from people who want to take over accounts or steal information around the world. While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place,” CEO and Facebook founder Mark Zuckerberg said on the service. “If you’ve forgotten your password or are having trouble logging in, you can access your account through the Help Center.”
Facebook has dealt with multiple security breaches in the past. The most famous of these is probably the Cambridge Analytica debacle, when the public learned well after Facebook that CA had been building voter profiles by scraping data without consent. Facebook was taken to task by governments for failing to disclose the situation years ago.