Facebook (NASDAQ:FB) was hacked, and 50 million accounts have been compromised. The company made the revelation in a post on its website today.
Facebook was hacked
The social network’s engineering team uncovered a “security issue” that affected nearly 50 million accounts on Tuesday.
“We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” the company said.
At this point, there aren’t many details about the hack; Facebook said the investigation into what happened is “still in its early stages.” However, engineers did determine that Facebook was hacked by exploiting a code vulnerability impacting the “View As” feature, which allows users to look at their own profile from the point of view of other users. The feature shows them what other users see when looking at their own profile.
By exploiting the “View As” feature, hackers were able to steal access tokens which they then used to take control of about 50 million accounts on the social network. The social network describes access tokens as “the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Here’s what Facebook is doing about the hack
After the engineering team discovered that Facebook was hacked, they immediately fixed the security issue and then told law enforcement about the problem.
The social network also reset the access tokens of the approximately 50 million accounts that were compromised. The company is also resetting the access tokens of an additional 40 million accounts in addition to those of the accounts that were known to be compromised when Facebook was hacked. The other 40 million accounts were all accessed using a “View As” look-up at some point within the last year.
In all, about 90 million users will have to log back in to the website or any apps which use Facebook Login. After logging back in, the affected users will be notified with an explanation that Facebook was hacked and details on what happened.
The social network also temporarily disabled the “View As” feature so that it can review its security. Facebook shows this message currently on the feature – “The “Preview My Profile” feature is temporarily disabled. Please try again later.”
Facebook hacked: awaiting more details
Facebook offered a few other details about how the feature compromised the security of the 50 million accounts that were affected:
“This attack exploited the complex interaction of multiple issues in our code,” the company explained. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’
Facebook also said that not only did the hackers need to find the vulnerability and then exploit it to get access tokens for the affected accounts, but they then “had to pivot from that account to others to steal more tokens.”
Since the discovery earlier this week that Facebook was hacked, it’s still too early to know whether any of the 50 million accounts that were affected were actually misused. The company doesn’t know if any of those users’ information was accessed and hasn’t determined who the culprit was or where they are. Facebook did say it will update its website when it has more information on the hack or if anything changes. The company will also reset the access tokens of any other accounts it determines were compromised.
If your account is among the 50 million that were compromised when Facebook was hacked and you’re having trouble logging in, the company advises you to visit its Help Center. If your account wasn’t affected but you still want to take an extra step to protect your security, then you can go to your account settings and check the Security and Login section. It will show you everywhere you are logged into Facebook and enables you to log out of all of them with a single click.
