Updated 5:37 p.m. ET
Facebook says that it has discovered a security breach affecting nearly 50 million accounts and that it’s not yet clear whether any information was accessed or any accounts were otherwise misused.
The vulnerability that caused the breach was found Tuesday and was fixed on Thursday night, Facebook says. It was the result of bugs introduced into Facebook’s code in July 2017. No passwords or credit card numbers were stolen, the company says.
But as a result of the breach, attackers could gain access to a user’s account — hypothetically giving them the ability not only to view information, but also to use the account as though they were the account holder.
“We do not yet know if any of the accounts were actually misused,” Facebook CEO Mark Zuckerberg told reporters Friday. “This is a really serious security issue, and we are taking it really seriously.”
The company said it is working with the FBI and conducting an investigation, which is “still in its early stages.”
Facebook does not yet know who carried out the attacks or where they were based. The company knows the attackers attempted to access profile information but not whether they succeeded; it does not yet have evidence that the attackers accessed private messages or if they posted to accounts.
The attack involved stealing “access tokens.” Facebook explains:
“[A]ttackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Nearly 50 million accounts are known to be affected and have had their access tokens reset. An additional 40 million accounts have had their tokens reset as a “precautionary step.”
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” Facebook says. “After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
Many users have not yet seen a notification, but that does not mean they were not affected; users “will receive those” in the future, Facebook said Friday afternoon.
The “View As” feature has also been temporarily turned off, pending a security review.
The vulnerability that made the attack possible was caused by multiple bugs in Facebook’s code interacting. At some point, attackers discovered the vulnerability and began exploiting it.
On Sept. 16, Facebook noticed a pattern of unusual activity on the site and launched an investigation.
On Tuesday, the company uncovered the flaw that made this attack possible. It involves three problems with the video uploading feature, explained Guy Rosen, vice president of product management at Facebook. First, the uploader was sometimes appearing on posts prompting people to send “Happy Birthday” messages, even in “View As” mode. (The uploader should not have shown up in “View As” mode at all.)
Second, the uploader was incorrectly generating an access token with permissions for the Facebook app. And third, instead of generating the access token for the person’s own Facebook account, it was generating the token for a friend whose name they had plugged into “View As.”
From there, the attacker could use that account access to “pivot” to another account — that is, log in as that friend and mine their friend network for more accounts to attack. Each token would allow the attacker to access a user’s Facebook account.
By mid-September, the attack was being used on a “fairly large scale,” Rosen said.
Facebook has been on the defensive over issues of user privacy and data security in recent months, after the Cambridge Analytica scandal broke in the spring.
“It’s an arms race,” Zuckerberg said Friday, repeating a phrase he often deploys. “We’re continuing to improve our defenses, and I think this underscores that there are constant attacks by people who are trying to take over accounts or steal information from our community.”
Sen. Mark Warner, co-chair of the Senate Cybersecurity Caucus, called for a “full investigation” into the breach.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Warner said in a statement Friday.