On a conference call in which Mark Zuckerberg said “this is a very serious security issue,” the Facebook CEO revealed that 50 million Facebook accounts were hacked.
“I want to update you on a security issue we identified and we patched last night,” said Zuckerberg on the conference call with tech media. “We are taking precautionary measures – in the interest of transparency, we want to share everything we know.”
He went on to say Facebook engineers found an attack affecting 50 million Facebook accounts. The vulnerability exploited the code in the “View As” feature. It allows attackers to steal Facebook access tokens. These access token act as a digital key, according to Guy Rosen, VP, product management, at Facebook. They are used so you don’t have to keep logging into Facebook.
“We saw this attack being used at a fairly large scale,” said Rosen, which raised red flags.
Zuckerberg said the investigation is “still very early.” “We do not know if any of the accounts were misused,” he said and that their investigation, so far, does not show the tokens were used to post anything to these accounts. He did say attackers tried to query Facebook APIs to gain personal data about Facebook users (i.e: name, gender, addresses, etc.).
The 50 million users will have to log back into their accounts to regain access. “We will notify people about what happens when they log back on.”
If you receive a notification that you have to log back into your Facebook, passwords were not taken so it is not necessary to change your password.
Facebook is disabling the “View As” feature until it can verify it is no longer exploitable. In addition, as a further safety measure, Facebook is resetting the access tokens for another 40 million accounts which have been subject to a “View As” look up – meaning they may have been targeted by the hackers.
Rosen says no credit information was taken. “We do not even show credit information to the account holder,” he said.
“We are in touch with law enforcement to help identify the attackers. We will update you with more details when we have them,” said Zuckerberg, He mentioned the company was working with the FBI and had notified the Irish Data Protection authorities for issue surrounding this breach and the European Union’s GDPR data privacy requirements.
The bug was first introduced on the social media platform in July 2017, after Facebook made an update to its video upload functionality. Rosen said it was too early to tell if this hack mostly affected American accounts, but so far the attack seems “broad.”
When asked how users could continue to trust their data on Facebook, Zuckerberg said, “As I have said a number of times…and I wrote about, security is an arms race. We’re continuing to improve our defenses – the teams we have at Facebook are very focused on this. There are a lot of talented people working on this, but this is going to be an ongoing effort.”