Facebook reported that an attack compromised information for nearly 50 million users, with the attackers gaining access to their accounts on other websites and applications that utilized Facebook login.
The hackers took advantage of a flaw in the “View as” feature, which allows users to see what their profile looks like to others. By leveraging this vulnerability, they could seize control of accounts and use them as the legitimate users would, allowing them to post or view content shared by friends. Facebook has confirmed that no credit card data was accessed.
Facebook (FB) stated that it is currently unaware of the attackers’ identities or their location. The company has addressed the bug, notified the FBI and other relevant law enforcement agencies, and alerted lawmakers and regulators. Additionally, they have informed the Irish Data Protection Commission about the breach, complying with GDPR regulations. The commission acknowledged receipt of the notification but expressed concerns regarding its timing and lack of details.
In response, Facebook forced over 90 million users to log out of their accounts as a security measure, requiring them to log back in. This precautionary action also affected the accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg.
According to Facebook, users do not need to implement extra security measures or change their passwords. Logged-out users will receive notifications from Facebook, although it will not specify whether they were among the 50 million affected or the additional 40 million logged out as a precaution.
Guy Rosen from Facebook noted in a follow-up call that the attackers could have accessed third-party services linked through Facebook, although it remains unclear if they did. There is also potential for the breach to affect Instagram accounts that share the same login, while WhatsApp, another Facebook-owned service, was not impacted. This breach marks the largest hack in Facebook’s history.
The company does not yet know if the stolen accounts were misused or if any specific information was accessed. They have disabled the “View As” feature that was exploited as part of their investigation.
“In my experience, notifications regarding breaches tend to worsen over time as investigations unfold,” commented Jessy Irwin, head of security at cybersecurity firm Tendermint. “The public details are limited, but this incident seems to penetrate deeper into Facebook’s ecosystem than the Cambridge Analytica scandal.”
Facebook indicated that the vulnerability stemmed from three distinct bugs and originated from a modification to a video uploading feature in July 2017. The company first noticed unusual user activity on September 16, 2018, initiated an investigation, and uncovered the attack on September 25. They promptly notified law enforcement and resolved the vulnerability by the following day, resetting login tokens.
The attackers managed to steal Facebook “access tokens,” which allow users to remain logged into their accounts, sparing them from repeated sign-ins. Facebook has reset all 50 million compromised tokens, in addition to tokens for another 40 million users that utilized the “View As” feature within the past year, as a precautionary measure. This reset has unlinked associated accounts, including Instagram and Oculus, which users will need to re-establish.
“The reality is we face ongoing attacks from individuals seeking to hijack accounts or procure information…. we must take further steps to avert such incidents.” CEO Mark Zuckerberg stated this during a call with reporters shortly after the disclosure.
This announcement represents yet another challenge for Facebook, which has grappled with security breaches, privacy controversies, and the spread of misinformation in recent years. The company asserts that it is significantly enhancing security measures and plans to double its security workforce from 10,000 to 20,000.
“Security is an arms race, and we are continuously enhancing our defenses,” emphasized Zuckerberg.
— Reporting contributed by CNN’s Donie O’Sullivan, Laurie Segall, and Sara O’Brien.
CNNMoney (San Francisco) First published September 28, 2018: 12:58 PM ET