Facebook has said it discovered a security breach earlier this week that affected almost 50 million accounts. The company said it has fixed the breach, which allowed hackers to take over people’s accounts.
The social media network said in a statement on Friday that it has told law enforcement authorities about the breach. Shares declined about 3% on the news.
There was a loophole in Facebook’s code for a feature called “View As” that let people see what their account looks like to someone else. The vulnerability allowed people to steal access tokens — digital keys that keep people logged into Facebook so they don’t need to re-enter passwords. Once logged in, the attackers could take control.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’,” Facebook said. “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
Everyone whose profile used the “View As” tool in the last year will have to log in to Facebook again, and any apps that used Facebook to log in. From there, they’ll be able to see a statement from Facebook explaining what happened. The company estimated that about 90 million people will have to log in again. — Reported by Sarah Frier, (c) 2018 Bloomberg LP