Facebook users were shocked as the news spread about how nearly 50 million Facebook accounts were compromised by an attack that gave hackers the ability to take over users’ accounts.
Social-media giant, Facebook shared that its company’s engineers discovered the breach on Tuesday (25 September).
In a blog post, Facebook stated that a vulnerability in the site’s “View As” feature, which lets users see what their profile looks like from someone else’s view, allowed an attacker to steal access tokens, a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time.
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Due to the hack, Facebook has already reset these access tokens.
The company stated that this means that if you were affected by the hack, you’ll notice that you have been automatically logged out of your Facebook account, as well as any other apps that use Facebook to login.
On the blog post, Guy Rosen, VP of Product Management, stated that the company has reset the access tokens of the almost 50 million accounts which were affected to protect their security.
Facebook also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
As a result, the Facebook said that around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Although you will to have to log back into your account, you do not have to change your passwords, Facebook added.
However, several Business Insider reporters who were required to log back into their accounts told the media that they did not see any type of message upon reentry.
The company then stated that the source of the vulnerability, the “View As” feature, has been disabled for the time being, adding that the feature became open to attack in July 2017 when Facebook edited its video uploading.
If you try to access the “View As” feature now, an error message appears saying that it has been “temporarily disabled”.
The incident is believed to be the largest in Facebook’s history.
On Friday morning, Facebook CEO Mark Zuckerberg held a press conference regarding the matter.
“I’m glad we found this and fixed the vulnerability. But it definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services face,” Mr Zuckerberg said.
Mr Zuckerberg also wrote a post on his Facebook account regarding the matter.
“We face constant attacks from people who want to take over accounts or steal information around the world. While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place,” he wrote.
The vice-president of product management, Guy Rosen, also spoke on the conference, saying that the company has notified and was working with the FBI. However, he did not comment on whether national security agencies were involved in the investigation.
“The investigation is early, and it’s hard to discover who is behind this. We may never know,” Mr Rosen said, adding that he did note that the scale and complexity of the hack would have required “a certain level” of expertise.
Mr Rosen, however, did not provide any details on the location of users affected, saying only that the attack seemed “broad” and investigators had not determined whether there were particular targets.
According to news media, the company has notified the Irish Data Protection Commission (DPC) about the breach. The implementation of Europe’s General Data Protection Regulation (GDPR) meant that Facebook was required to notify data protection authorities within 72 hours if any affected users were in the European Economic Area.