Facebook reportedly discovered a security vulnerability on September 25th, 2018 that affected almost 50 million accounts.
The social network’s vice president of product management Guy Rosen confirmed the breach in a September 28th, 2018 Facebook media release.
Rosen explained that the vulnerability stemmed from changes made to Facebook’s video uploading feature in July 2017.
The vulnerability enabled attackers to use Facebook’s ‘Views As’ feature, which lets users view their accounts from the perspective of friends and other Facebook users, to generate access tokens that mimicked genuine accounts.
Access tokens are like digital keys that keep users logged into Facebook so that passwords don’t need to be re-entered each time users access an application.
“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” wrote Rosen, in the September 28th media release.
Facebook says that it has temporarily turned off the ‘View As’ feature while the social network “conducts a thorough security review.”
Additionally, Facebook has reset the access tokens of the 50 million accounts that were definitely affected.
Facebook also reset the access tokens of 40 million accounts that were included in a ‘View As’ lookup over the course of the past year.
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” wrote Rosen.
“After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
According to Rosen, Facebook’s investigation is still in its early stages and it’s not yet clear whether any accounts were misused or if any personal information was accessed.
In a phone call with reporters, Rosen clarified that hackers didn’t access private messages or posts.
“To add one more thing there, what we also can confirm is that no credit card information has been taken,” said Rosen, in a September 28th call with reporters.
“We don’t display credit card information, even to account holders.”
Facebook has yet to determine who is responsible for the breach, but that the company has already fixed the vulnerability and informed law enforcement.
A spokesperson for the Office of the Privacy Commissioner of Canada (OPC) confirmed that Facebook has advised the privacy watchdog of the incident.
“We’ve asked the company to submit a breach incident report to our office explaining what took place and what the company is doing to mitigate the situation,” said the OPC spokesperson, in an email to MobileSyrup.
Facebook has spent most of 2018 fending off criticism about the company’s handling of a 2013 data breach that affected approximately 87 million users — including approximately 622,000 Canadian users.
Facebook CEO Mark Zuckerberg previously apologized for his company’s handling of the Cambridge S privacy scandal, even telling U.S. lawmakers that his own data was compromised as a result of Cambridge University researcher Aleksandr Kogan’s personality quiz.
News of the September 25th, 2018 breach also comes at a time when the company is facing intense scrutiny from privacy advocates, including a number of international lawmakers.
Earlier this morning, Facebook confirmed that it even reuses phone numbers provided for two-factor authentication to target ads at users.
Update 28/09/2018 5:49pm ET: Story updated with additional context and reporting.
Update 28/09/2018 3:53pm ET: Story updated with comment from the Office of the Privacy Commissioner of Canada.
Update 28/09/2018 2:22pm ET: Story updated with additional reporting.