Update: Facebook has revealed that its engineering team has discovered a vulnerability in the site that attackers exploited to steal users’ access tokens and take control of almost 50 million accounts. Facebook detected the breach on Sept. 25, and subsequently reset the access tokens of the affected accounts. It also did the same for another 40 million accounts, making it a total of 90 million—or 4% of Facebook’s total 2.23 billion monthly active users.
“This attack exploited the complex interaction of multiple issues in our code,” the company said in a blog post. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’ The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
Facebook claims that the investigation into this breach has only begun so they “have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.” The company did add, however, that if they were to find more affected accounts, they would “immediately reset their access tokens.”
Something strange seems to be happening on Facebook.
Starting around 10:00 am (India time, Sept. 28), many Facebook users reported being abruptly logged out of their accounts. Some also mentioned being logged out of Messenger, the social network’s instant messaging app, besides the main Facebook app.
Quartz has contacted Facebook’s India and global offices. The India communications office replied asking for clarification, saying they would reply with more information later. The global office has not yet responded.
Users on Twitter are reporting log-outs from around the world, including India and the Philippines, which are two of the largest markets for Facebook. India has around 240 million Facebook users, while the Philippines is home to 70 million.
The website Down Detector, which tracks real-time reports from users who are unable to access popular websites, showed that there had been a dramatic spike in problems on Facebook around 8am India local time today. Down Detector reported that 53% of users were unable to log in, 14% had trouble accessing apps, and 32% faced a “total blackout.”
This story will be updated as more details come in.