Facebook has had its fair share of issues over the years with everything from a bug that made private posts public to the infamous data leak that had the site logging personal texts and calls among other things.
Today, the company revealed they discovered a security flaw Tuesday that has affected almost 50 million user accounts. There was a vulnerability point in Facebook’s code for the ”view as” feature, which allows users to see what their profile looks like as someone else.
The code vulnerability allowed hackers to exploit the tool and take over accounts, according to the company’s blog post by VP of Product Management Guy Rosen.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Rosen says. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The attack stemmed from multiple issues in the code beginning with a change the company made to their video uploading feature in July 2017, which in turn impacted the “view as” feature.
While the investigation is still in the early stages, Rosen says the company are taking it very seriously and have already begun the process to alleviate the issue including turning off the “view as” feature temporarily.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” Rosen says. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
Rosen says the company has already fixed the vulnerability. While they have also informed law enforcement, they don’t know who the attackers are or where they are based.
They reset the access tokens of the 50 million accounts they know were affected. As an extra precaution, they also reset the access tokens on an additional 40 million accounts “that have been subject to a ‘View As’ look-up in the last year.”
If you’ve been logged out of your account and asked to sign back in, it’s because we’ve discovered a security issue and are taking immediate action to protect people on Facebook. Learn more https://t.co/XLcHGYFBu2
— Facebook (@facebook) September 28, 2018
As a result of the access token reset, around 90 million Facebook users will be required to log back in. Once back in, users will be see a message notifying them of the security flaw at the top of their feed.
However, Facebook assures there is no need for anyone to change their password. If you would like to do so and log out of everywhere you are signed in, Facebook is directing users to the “Security and Login” section in settings where it lists the places people are logged into and a one-click option to log out of them all.
Facebook admits they haven’t determined whether the affected accounts were misused or any information was accessed. They also say that if any other accounts are affected, their access tokens will be reset as well.
The blog post promises they will update as more information becomes available. You can view Facebook’s entire blog post here.