Facebook discloses network breach affecting 50 million user accounts

Facebook said attackers exploited a vulnerability in its code that let them steal access tokens when users switched over to a public profile view via the "View As" feature.
Written by Natalie Gagliordi, Contributor

Facebook on Friday disclosed a breach of its network that affected almost 50 million user accounts. The social networking giant said that attackers exploited a vulnerability in Facebook's code that let them steal access tokens -- digital keys that are used to keep users logged in when they enter their username and password -- when users switched over to a public profile view via the "View As" feature.

The access tokens allowed the attackers to take over user accounts, however it's still unclear whether user data was accessed and misused.

Also: How to see if your Facebook account was compromised CNET

Facebook said it has secured its network and affected user accounts since engineering discovered the attack on September 25. The bug was fixed and Facebook said it has notified law enforcement.

Meantime, the company has reset the access tokens on all of the affected user accounts, as well as on another 40 million accounts that were subject to a "View As" look-up in the last year.

Anyone impacted by the reset will need to log back in to Facebook and on any apps that use Facebook Login. Once logged back in, affected users will see a notification at the top of News Feed alerting them to the incident.

Also: How to remove bots and trolls and clean up your Twitter feed

Facebook has also disabled the "View As" feature while it conducts a security review.

"Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," Facebook said in a blog post. "We also don't know who's behind these attacks or where they're based. We're working hard to better understand these details -- and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens."

On a call with media, chief executive Mark Zuckerberg said the initial investigation does not suggest that these access tokens were used to access any private messages, posts, or to post anything to user accounts.

Also: Can LinkedIn finally kill the business card TechRepublic

"I'm glad that we that we found this and that we were able to fix the vulnerability and secure accounts," Zuckerberg said. "But it definitely is an issue that this happened in the first place. And I think this underscores the attacks that that our community and our service face, and the need to keep on investing heavily in security and being more proactive about protecting our community. And we're certainly committed to doing that."

Social media cannot be trusted without these features

Previous and related coverage:

Twitter brings back chronological timelines

Some Twitter users have complained about seeing "the best" tweets in a Facebook-style timeline and want to return to the old days when they were in chronological order. Twitter now offers that option, and plans to make it easier to switch between the two views..

How to remove bots and trolls and clean up your Twitter feed in seconds

Some simple changes to your Twitter account settings instantly removes most of the bots and trolls and anything else you don't want from your feed, which results in a much more pleasant experience.

Facebook's latest headache: How to spot "deep fake" videos

Facebook is facing an uphill battle automating the detection of misinformation in photos and videos.

Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others

Exclusive: Profile data was scraped without user consent or knowledge to "build a three-dimensional picture" on millions of people.

Facebook's new privacy settings: Look out for these shortcuts, data delete options

Amid the ongoing trust crisis, Facebook users get an easier way to download their data and new mobile privacy settings.

Europe's top court has just blown a big hole in Facebook's fan-page terms

New CJEU ruling in Facebook case could have "far-reaching effects" for GDPR contracts.

Facebook's fake account crackdown: Our AI spots nudity, hate, terror before you do

Facebook's new report attempts to convey how effective its AI is at flagging bad content and fake accounts.

Google secretly logs users into Chrome whenever they log into a Google site

Browser maker faces backlash for failing to inform users about Chrome Sync behavioral change.

Related stories:

Editorial standards