A breach at Facebook that was uncovered Tuesday has exposed information on almost 50 million users, forcing 90 million users to log out of their accounts to safeguard their data.
While the company does not yet know who was behind the attack, it said the vulnerability has been fixed.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else,” Facebook Vice President of Product Management Guy Rosen wrote in a security update. “This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”
Calling the attack a “complex interaction of multiple issues in our code,” Rosen said the incident “stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’”
Access tokens keep users logged in to Facebook without having to re-enter their passwords every time they use the social media app.
To breach Facebook’s systems, the attackers had to find the vulnerability, “use it to get an access token” and then “pivot from that account to others to steal more tokens.”
The social media company has been plagued by a number of privacy and security concerns in the last two years, among the most notable Cambridge Analytica’s collection of personal data from accounts of 87 million Americans without their permission through an app called thisisyourdigitallife developed by Cambridge University professor Aleksandr Kogan. About 270,000 Facebook users signed up to take a paid personality test through the app. Their data and that of their friends, counting in the millions, was passed along to Cambridge Analytica.