SAN FRANCISCO (CBS SF) — Taking advantage of a vulnerability in its ‘View As’ function, hackers have staged a major security breach at Facebook impacting 50 million accounts, the company announced Friday.
CEO Mark Zuckerberg took to social media to talk about the breach.
“I want to update you on an important security issue we’ve identified,” he posted. “We patched the issue last night and are taking precautionary measures for those who might have been affected.”
“We face constant attacks from people who want to take over accounts or steal information around the world,” he continued. “While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
In a posting by Guy Rosen, VP of Product Management, on Facebook’s newsroom it was revealed that engineers discovered the breach on Tuesday.
“Here is the action we have already taken,” the posting read. “First, we’ve fixed the vulnerability and informed law enforcement.”
According to Rosen, while the investigation was in its early stages — “It’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”
The company said access tokens were the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Rosen said the company has reset the access tokens of “the almost 50 million accounts we know were affected to protect their security.”
Facebook engineers were also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
The company has also turning off the “View As” feature while they conduct a thorough security review.
“This attack exploited the complex interaction of multiple issues in our code,” Rosen said in his post. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
Facebook said their security team has “yet to determine whether these accounts were misused or any information accessed… We also don’t know who’s behind these attacks or where they’re based.”
The company said there was no need for anyone to change their passwords.