An attack on Facebook discovered earlier this week exposed information on nearly 50 million of the social network’s users, the company announced Friday.
The attackers exploited a feature that lets users see their Facebook page the way someone else would. They could then potentially use it to take over the accounts. Facebook said it does know who the attackers were or where they were based. It also said it has already fixed the issue and informed law enforcement. More than 90 million users were forced to log out of their accounts on Friday for security reasons.
The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It has turned off the “View As” feature that the attackers exploited while it investigates. It believes the vulnerability appeared after it made a change to a video uploading feature in 2017.
The attackers stole Facebook “access tokens” which keep a person logged into their Facebook account over long periods of time so they don’t have to keep signing in. Facebook reset all 50 million, as well as tokens for an additional 40 million as a “precautionary step.”
The announcement is the latest issue for the company, which has struggled with security breaches, privacy issues and misinformation in recent years.
“The reality here is we face constant attacks from people who want to take over accounts or steal information…. we need to do more to prevent this from happening in the first place,” CEO Mark Zuckerberg said during a call with reporters shortly after the announcement. “We’re going to keep investing very heavily in security going forward.”
CEO Mark Zuckerberg has said in the past that fighting bad actors on the platform is a “never-ending battle.”