Facebook Inc. (NASDAQ: FB) engineers on Tuesday discovered a security breach that leaked account information for “almost” 50 million users. The company’s vice-president of product management, Guy Rosen, posted a message referring to the breach in the Facebook newsroom.
The breach exploited a flaw in Facebook’s “View As” feature that allows people to see what their profile looks like to someone else. The bug allowed the attackers to steal Facebook access tokens that could later be used to take over someone else’s account. An access token is a bit of code that keeps users logged in so they don’t have to re-login every time they use Facebook. After they have logged back in, the affected users will be notified by a message at the top of their news feed.
Facebook said it has fixed the vulnerability and informed law enforcement officials of the incident. The company has also resetting access tokens for about 90 million accounts.
The company is turning off the “View As” feature while it completes a full security review.
Facebook’s Rosen said:
Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.
Facebook does not know the identity of the attackers or where they are based. The company also has not yet determined whether the accounts were misused or if any user data were accessed. Rosen apologized for the breach.
Facebook claims about 2 billion monthly users of its Facebook app, and another 2 billion who use WhatsApp and Instagram.