Facebook's latest security breach: 50 million users at risk

The company claims to have fixed the vulnerability, but it is not sure whether the data was accessed or misused

Published September 29, 2018 11:07AM (EDT)

 (AP/Noah Berger)
(AP/Noah Berger)

Facebook announced a massive security breach to its the website Friday, which impacted about 50 million user accounts.

Facebook's engineering team discovered the breach Tuesday, has begun an investigation into the matter and alerted law enforcement, according to a blog post released by the company. "Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," the social media juggernaut disclosed.

"We face constant attacks from people who want to take over accounts or steal information around the world," CEO Mark Zuckerberg wrote on his Facebook account. "While I'm glad we found this, fixed the vulnerability and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place."

In its blog post, Facebook said that the attackers exploited a vulnerability in its "View As" feature, which allows people to see how their profile appears to someone else on the platform. The social media network first became aware of a possible attack when it observed a boost in user activity on Sept. 16, according to CNBC.

This vulnerability allowed hackers "to steal Facebook access tokens, which they could then use to take over people’s accounts," Facebook's blog post added. "Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."

The company claims to have fixed the vulnerability and has reset the access tokens of the 50 million accounts who were directly impacted, as well as another 40 million accounts that could have been been at risk through the "View As" feature. This means approximately 90 million people will have to log back in to Facebook or into any apps that rely on their Facebook login.

"Facebook has had a hard year, and it just got worse," Adam Levin, founder of CyberScout, the company that assists businesses with cybersecurity, said in a statement." "In a world dominated by trillion-dollar advertising platforms consisting of multi-billion member communities, 50 million users may no longer seem like a big deal, but it is. The number of people affected by this breach is roughly equal to the entire population of the west coast of the United States."

In the meantime, Facebook said it has temporarily disabled the "View As" feature in light of the security investigation.

READ MORE: How algorithms reproduce social and racial inequality

"This attack exploited the complex interaction of multiple issues in our code," Facebook's blog post continued. "It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As.' The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."

Facebook does not yet know who the hackers are or where they are based.

In his statement, Levin said that, because the breach occurred after an upgrade, "any changes made to networks, software and other systems must be immediately and continually tested and monitored for vulnerabilities that may have been caused in the process. The traditional 'patch and pray' approach to cybersecurity is obsolete. An effective vulnerability management program is crucial."

Facebook was already trading down, but after the disclosure, the company extended losses up to 3.5 percent, CNBC reported.

And, as Levin said, the latest security breach mounts on top of a challenging year for the social media giant. Earlier this year, it was revealed that the political consulting firm Cambridge Analytica improperly harvested the Facebook data of nearly 90 million users.

By Rachel Leah

MORE FROM Rachel Leah