On Friday, Facebook announced that at least 50 million and potentially up to 90 million Facebook users had their data exposed to hackers in a breach involving the social media platform’s “View As” feature, which lets you view your own account as if you were someone else.
The company stated in an official blog post that earlier this week, on Tuesday, September 25, it identified a vulnerability in its code that had been present and unnoticed for over a year. That vulnerability gave hackers the ability to “take over people’s accounts” by stealing their access tokens — basically, the “digital keys” that allow people to stay logged in for days, weeks, or months at a time.
At the time of its announcement, Facebook said it had already “fixed the vulnerability and informed law enforcement.” It has also reset the access tokens for every account that it has confirmed to be affected, as well as for every account that has accessed the “View As” feature in the last year, as a precautionary measure. “As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” Facebook said.
While acknowledging that the breach was massive, Facebook said it has no information about who was responsible, what their intentions were, or whether any account information was mishandled. “Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” the company said.
Facebook described the attack as having “exploited the complex interaction of multiple issues in our code.” It’s not entirely clear whether the attack was a true hack — in which code is overwritten and manipulated due to security flaws, thus allowing access to hostile parties — or whether it was a clever exploitation of the way the system was designed to work, as was the case with the recent Cambridge Analytica data breach that affected 87 million accounts earlier this year.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” Facebook said by way of apology. It was a step back from Facebook founder Mark Zuckerberg’s previous apologies in the wake of the Cambridge Analytica scandal, when he said, “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”