Facebook has revealed the discovery of a security breach enabling hackers to ‘take over’ almost 50 million user accounts. The company says the discovery was made on Tuesday September 25 and the vulnerability affecting 90 million accounts overall has been fixed.
Facebook says the perpetrators exploited a vulnerability in its code that affected the ‘View As’ feature, which its enables users to see how their profile looks to other users. The vulnerability enabled the hackers to steal Facebook access tokens, which were then used to commandeer the accounts of affected users.
These access tokens are the tool that ensure Facebook users are able to remain logged in when they dive in and out of the app.
Related: How to delete your Facebook account
Facebook says it is still in the early days of its investigation, but says it is resetting the access tokens of the 50 million users directly affected. The company says it is also taking the precautionary measure of resetting access tokens for an additional 40 million accounts that have been “subject to a View As look-up in the last year.”
In a blog post on Friday afternoon in the US – an excellent time to bury bad news, especially given the drama over the US Supreme Court nomination – Facebook says those users will have to log back in again on any of the apps that use Facebook Login.
However, the company assures users that there is no need for anyone to change their passwords. The company also doesn’t appear to proactively be informing users directly that their accounts have been breached. Instead they’ll see a notice when they log back in.
“After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” writes VP of product management Guy Rosen.
Facebook also says it is turning off the View As feature, during the ‘thorough review’. It also goes on to state that “people’s privacy and security is incredibly important.” Again.
Is this the last straw in your relationship with Facebook? Let us know @TrustedReview on Twitter.