Facebook says almost 50 million of its users were left exposed by a security flaw.
The company said attackers were able to exploit a vulnerability in a feature known as “View As” to gain control of people’s accounts.
The breach was discovered on Tuesday, Facebook said, and it has informed police.
Users that had potentially been affected were prompted to re-log-in on Friday.
The flaw has been fixed, wrote the firm’s vice-president of product management, Guy Rosen, adding all affected accounts had been reset, as well as another 40 million “as a precautionary step”.
Facebook – which saw its share price drop more than 3% on Friday – has more than two billion active monthly users.
The company has confirmed to reporters that the breach would allow hackers to log in to other accounts that use Facebook’s system, of which there are many.
This means other major sites, such as AirBnB and Tinder, may also be affected.
Who has been affected?
The firm would not say where in the world the 50 million users are, but it has informed Irish data regulators, where Facebook’s European subsidiary is based.
The company said the users prompted to log-in again did not have to change their passwords.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. “
He added: “People’s privacy and security is incredibly important, and we’re sorry this happened.”
The company has confirmed that Facebook founder Mark Zuckerberg and its chief operating officer Sheryl Sandberg were among the 50 million accounts affected.
What is ‘View As’?
Facebook’s “View As” function is a privacy feature that allows people to see what their own profile looks to other users, making it clear what information is viewable to their friends, friends of friends, or the public.
Attackers found multiple bugs in this feature that “allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts”, Mr Rosen explained.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he added.
Rachel Aldighieri, MD of the Direct Marketing Association “This breach appears to have impacted 50m users of the social network site meaning that a vast amount of personal data is now in the hands of criminals. It is therefore imperative that Facebook are forthcoming in contacting all those affected, provide information on what this breach means for them, and offer support to those who are likely to be very concerned by the news.
We would encourage any concerned users of Facebook to contact the website through its official channels and also follow the updates that they are likely to provide over the next few days. It is important to remain vigilant in checking your account and bank statements to ensure there’s nothing unusual. There’s no need to panic or cancel cards, but if you do see any suspicious activity we recommend contacting your bank immediately.
It is encouraging to see that Facebook have reported the attack promptly and have already begun their investigation into how the breach occurred. It isn’t yet clear how many EU citizens data has been affected but should it come to light that these citizens are among those whose data was breached, Facebook would be subject to hefty fines under GDPR. It appears that the breach was the result of a cyber-attack and not due to negligence, if this is the case then any fines will be proportionate and will take this into account.
However, fines are just one of the risks to organisations like Facebook. We believe the long-term effects on customer trust, share price and public perception could have more lasting damage.
Facebook now has the challenge of re-building the trust of its customer base, a job that might be difficult given the events involving Cambridge Analytica earlier this year. To do this, it’s vital that the organisation focuses its efforts around two of the core principles of the GDPR – accountability and transparency. They need to show that they have done everything possible to ensure such a breach won’t happen again.”