Facebook, one of the worlds largest social networks, announced today that it has been struck by a hack, or data breach, that could affect up to 50 million user accounts. Originally reported by the New York Times, the attack was discovered on Tuesday, with the company claiming that it promptly contacted the FBI.
The hack/exploit allows attackers to access user accounts and so Facebook has taken what it says is a precautionary measure of logging out more than 90 million accounts that could have been potentially compromised. The company says that the attackers could access everything in a victim’s profile, but at the moment it is unclear if that includes private messages.
“This is a really serious security issue and we’re taking it really seriously,” Facebook Mark Zuckerberg told reporters during a Friday media call.
The vulnerability was discovered in some of the code for Facebook’s “View As” feature. The attacker can use access tokens order to hijack the target account. Facebook has now announced that it has code patched its servers, on Thursday night, and has also disabled the affected “View As” feature.
Access tokens have been reset for the 50 million accounts that Facebook know have been targeted by the exploit, but have decided to also reset a further 40 million user accounts that have used the “View As” feature.
“This attack exploited the complex interaction of multiple issues in our code,” According to Guy Rosen, VP of Product Management, he further stated. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’ The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
“There’s no need for anyone to change their passwords,” he continued.
According to Facebook, affected users will have a message displayed at the top of their News Feed after they have logged back into their account. It will read – “Your privacy and security are important to us,” it carries on to detail “We want to let you know about the recent action we’ve taken to secure your account,” followed by a prompt to click and learn more details.
The Investigation into the attack is still in its early stages, even though it did start on September 16. The company were alerted to the problem as there were a huge amount of accounts accessing the network at once.
It is unknown who is behind the attack and Facebook recognises the fact that we might never know. Facebook and the FBI are said to be working closely with each other to try tracking down those responsible.
If you were not logged out of your account, but want to be extra vigilant you can check this page to see where your account is currently logged into and log them out if the location is not recognised.