At least 50 million Facebook users have been affected by a security breach that allowed hackers to take over people’s accounts, the company said on Friday. It’s still unclear what information may have been accessed.
Facebook became aware of the breach on Tuesday when its team discovered that hackers had exploited a vulnerability in the “View As” feature, which allows people to see what their own profile looks like to someone else.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” said Guy Rosen, the vice president of Product Management. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
It was not immediately known how the attackers may have used the tokens or what information may have been accessed, but the company said there was no indication that private messages or credit card information was stolen.
“We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security,” Rosen said. “We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year.”
The Federal Bureau of Investigation (FBI) is investigating the data breach, Facebook CEO Mark Zuckerberg said.
About 90 million users whose access tokens have been reset will have to login again, but users do not have to change their passwords, Rosen said. The “View As” feature has been turned off while the company carries out a full security review.
The breach comes as Facebook faces mounting pressure over the spread of misinformation and user privacy. Earlier this year, it was revealed that political data firm Cambridge Analytica had obtained and used the personal data of more than 50 million users.