CALIFORNIA – Facebook has apologized for a “security issue,” after discovering that hackers used a vulnerability in the platform’s code to steal other users’ ‘access tokens’ and log into their accounts. 50 million accounts were affected.
In a statement released on Friday, the company said that attackers could use Facebook’s “View As” tool – which lets a user see what their profile looks like to other users – to steal other users’ access tokens – digital keys that allow a user to stay logged into the social network without re-entering their password every time.
Attackers took advantage of a feature in the code, called ‘Access Tokens,’ to take over people’s accounts.
As a result of the breach, the firm has logged roughly 90 million people out of their accounts earlier today as a security measure.
CEO Mark Zuckerberg penned a post on his personal Facebook page about the incident, saying the issue was ‘patched last night’ but that the firm is working with law enforcement, including the FBI, to continue to investigate the origins of the attack.
‘On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook,’ Zuckerberg wrote.
Access tokens don’t include a user’s password, but they do allow users to log into a Facebook account without needing it.
The attack marks the latest setback for Facebook, which is still recovering from the fallout over the Cambridge Analytica scandal earlier this year, which saw some 87 million users’ data shared with the research firm without their knowledge.
As a result, many users, experts and legislators have grown concerned about whether the firm can effectively manage and safeguard users’ data.
Zuckerberg acknowledged in a statement to reporters that Facebook needs to take additional steps to prevent these kinds of issues from occurring.
‘We face constant attacks from people who want to take over accounts or steal information,’ Zuckerberg said in a call with reporters.
‘We need to do more to prevent this from happening in the first place.’
Facebook doesn’t know whether the accounts were misused and hasn’t yet found any evidence of them being misused.
The revelation that the company has been using information, explicitly provided for security purposes, for targeted advertising has outraged many and further damages user trust in the social network.
BREAKING: Facebook admits security breach affected 50million accounts – attackers stole Facebook access tokens that they "could then use to take over people's accounts" pic.twitter.com/KCWSkzbk2G
— Sean Keach (@SeanKeach) September 28, 2018
“At this point I consider Facebook a criminal enterprise. Maybe not legally, but morally” https://t.co/BrZ7Yeq5Jw
— DHH (@dhh) September 27, 2018
— Financial Philospher etc. (@jameslgb) September 28, 2018
We’re never getting out of this rabbit hole… 😔 RT @konklone: #Facebook takes phone numbers given to them for two factor authentication & uses them for ads. Gross and completely irresponsible. https://t.co/hCp9voZwRy pic.twitter.com/AKvSvkNSIt #privacy #tech #socialmedia
— Stephanie Humphrey (@TechLifeSteph) September 27, 2018
Researchers also found evidence of the corporation using shadow contact information to target individuals with ads – something they had previously denied doing. This is data, such as a phone number, that has not been provided by the user to Facebook but is collected from their friends’ contacts list and shared with advertisers.