Facebook today announced a data breach occurred on September 25 affecting at least 50 million Facebook accounts.
The social network disclosed the breach Friday morning, issuing a statement that said an “attack” on its system led to “the exposure of information” affecting the 50 million users, according to the New York Times.
CEO Mark Zuckerberg posted a statement indicating the company had patched the vulnerabilities exploited by the attacker(s) and was investigating the incident further. This comes at a particularly inopportune time for the embattled billionaire, who recently pledged that his company would be more careful with user account data.
Guy Rosen, Facebook’s VP of Product Management described some of the details of the attack in a Facebook post:
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
The social network logged at least 90 million users out of their accounts this morning as a security precaution, standard procedure for data breaches. It also reset account access tokens and turned off the aforementioned “View as” feature temporarily.
Facebook says it’s continuing its investigation and will update the press and users once it has more information concerning the breach. There’s still no word on the origin of the attack or which specific users’ accounts were affected.
We’ll update this post as we get more information, but in the meantime it’s probably a good idea to change your Facebook password and check your security settings.