Facebook made a tool to help people protect their information. Instead, it compromised 50 million accounts.
Flaws in a Facebook feature known as “View As,” which shows users what their own profile looks like to other people, allowed attackers to take over other accounts, Facebook announced today (Sept. 28). Attackers exploited the bugs, which allowed them to steal the access tokens, or digital keys that keep you logged into Facebook while you do other things on the web, that could be used to hijack other accounts. That gave the attackers access to the users’ profile information, which typically includes things like a name, gender, and hometown. Fifty million accounts were compromised in the breach.
“We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more,” CEO Mark Zuckerberg said in a Facebook post, noting that Facebook fixed the issue on Sept. 27.
The 50 million affected users were logged out of Facebook to reset their access tokens on Friday. Facebook is doing the same for another 40 million accounts whose profiles were viewed using the “View As” feature in the past year.
The breach comes six months after it was revealed that the Facebook data of another 50 million users was exploited by a company called Cambridge Analytica during the 2016 US presidential election. That case was different in that Cambridge Analytica collected the data from a Cambridge University researcher who shared it in violation of Facebook’s terms. This time around, the breach was tied to a bug in Facebook’s own code. It raises serious questions about whether its safe to share any information on Facebook that you wouldn’t be comfortable sharing with a stranger, such as your email address or the names of your relatives.
The bugs were introduced in July 2017 when Facebook made a change to its video-uploading feature, Guy Rosen, vice president of product, said in a blog post. In mid-September 2018, Facebook noticed usual activity on the platform and began investigating. The attack was discovered on Sept. 25, law enforcement was notified on Sept. 27, and Facebook announced the breach the following day.
“We face constant attacks from people who want to take over accounts or steal information around the world,” Zuckerberg said, in the Facebook post. “We need to continue developing new tools to prevent this from happening in the first place.”