An attack on Facebook exposed information on nearly 50 million of the social network’s users, the company announced Friday — and gave the attackers access to those users’ accounts with other sites and apps that they logged into using Facebook.
The attackers exploited a bug in a feature called “View as” that lets users see their Facebook page the way someone else would. The attackers were able to take over the accounts and use them exactly as if they were the account holders. That would include posting or viewing information shared by any of that account’s friends. Facebook says no credit card information stored with the company was accessed.
Facebook(GDPR regulations. The commission said it received the notification, but expressed concern with its timing and lack of detail.) said it does not know who the attackers were or where they were based. It also said it has already fixed the issue and informed the FBI and other law enforcement, as well as lawmakers and regulators. It has also informed the Irish Data Protection Commission about the breach, a step required by Europe’s
More than 90 million users were forcibly logged out of their accounts by Facebook and had to log back in on Friday for security reasons. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts forcibly logged out by Facebook.
Users do not need to take any additional security precautions or reset their passwords, said Facebook. All logged out users will receive a notification about the issue from Facebook.
The attackers would have also been able to access third-party services or sites accessed with a Facebook login, Facebook’s Guy Rosen said in a follow-up call with reporters on Friday, though it is not yet clear if they did so. It could have also impacted Instagram accounts that use the same login as Facebook, but Rosen said WhatsApp, which is also owned by Facebook, was not impacted. The company declined to confirm if this was the largest hack it has experienced to date.
The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It has not determined if any specific locations or accounts were targeted. It has turned off the “View As” feature that the attackers exploited while it investigates.