Today Facebook has announced that earlier this week it discovered a security issue that affected almost 50 million accounts. This was tied to a vulnerability in the code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else.
Attackers exploited that vulnerability, and that allowed them to steal Facebook access tokens which they could use to take over people’s accounts – 50 million of them. Access tokens are the equivalent of digital keys that keep people logged into the social network so they don’t need to re-enter their password every time they use the app.
The access tokens for the 50 million accounts the company knows were affected have been reset. This means that if your account was among those unlucky ones, you will find yourself logged out of Facebook and will have to log back in. There’s no need to change your password, as attackers never had access to it.
Facebook CEO Mark Zuckerberg
Facebook is also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” lookup in the last year. So, in total, around 90 million people will have to log back in. Afterwards, they will get a notification at the top of their News Feed explaining what happened.
The company is turning off “View As” for now, as a consequence. It will conduct a thorough security review of the feature. Law enforcement agencies have been informed of the breach, and the vulnerability is now fixed.
Facebook’s investigation of the incident is only just beginning, so at the moment it doesn’t know whether the 50 million accounts were misused or if any information was accessed by malicious third parties. It’s also unclear who’s behind the attack. The company hopes it will have more information on that soon. In addition, if it finds more accounts that were affected, it will immediately reset their access tokens as well.