UPDATED throughout with more details about the security breach
Facebook suffered an attack on its computer network that exposed information about 50 million users.
Hackers took advantage of three separate vulnerabilities in Facebook’s software to steal tokens that allowed them to take over users’ accounts and harvest profile information, including their names, hometowns and gender. The company said it’s still investigating to determine whether these user accounts were misused.
Facebook said it detected an unusual spike in activity on Sept. 19 and launched an investigation. On Tuesday, it uncovered the malicious attack, which exploited vulnerabilities introduced more than a year ago when Facebook created a new video upload feature. The company patched the bugs on Thursday and issued fresh digital access keys to the 50 million users whose accounts had been accessed.
“The reality here is we face constant attacks from people who want to take over accounts and steal information,” said Facebook CEO Mark Zuckerberg, telling reporters that the company continues to invest heavily in security. “We need to do more to prevent this from happening in the first place.”
Facebook’s discovery of the hack comes at a difficult time for the company, which is still dealing with the fallout from the Cambridge Analytica privacy scandal and the Russian misinformation campaign during the 2016 presidential election. The social media giant also is facing threats of greater regulation from Washington, as some legislators fear it has amassed too much power.
“This is clearly a breach of trust and we’re taking this very seriously,” said Guy Rosen, Facebook’s vice president of product management. “We’re working with regulators to let them know what happened.”
Facebook says its investigation is still in the early stages and it still doesn’t know the identity of the attackers, who exploited a feature in Facebook’s code that allowed them to steal access to users’ accounts.
Rosen described the cyberattack as a sophisticated one that took advantage of a combination of previously unknown vulnerabilities that appeared within Facebook’s “View As” tool, which allows users to see how their profiles appear to other people. The bug was compounded by a flaw in one of Facebook’s video upload programs, which let attackers steal the access tokens, or digital keys to unlock access to a user’s account.
“We did see this attack used at a large scale,” said Rosen. “That’s how we discovered this and we started investigating and found the vulnerability.”
As a security measure, Facebook required anyone whose accounts were compromised, and another 40 million others who had used the View As tool, to log into their accounts this morning. After they log back in, they’ll receive information at the top of their News Feed explaining what happened.