Facebook announced on Friday that it recently discovered a data breach affecting 50 million user accounts.
The social media giant said the security issue was uncovered by its engineering team on Tuesday, Sept. 25.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else,” Facebook explained.
The Menlo Park, Calif.-based company said the bug allowed attackers to take over user accounts. However, it has since fixed the security flaw and informed law enforcement officials.
“We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” said Guy Rosen, Facebook’s VP of Product Management in a statement.
In response to the breach, Facebook said about 90 million users were forced to log out of their accounts early Friday.
“We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to ‘View As’ look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login.”
The company added it has temporarily turned off the “View As” feature while it conducts a thorough security review.
The social network noted it has yet to determine whether the accounts were misused or if any information was accessed. The identity of the attackers is also still unknown.
“We’re working hard to better understand these details… In addition, if we find more affected accounts, we will immediately reset their access tokens,” said Rosen.
Facebook CEO Mark Zuckerberg also acknowledged the breach in a Facebook post:
Tim Erlin, VP of Product Management and Strategy at Tripwire, suggests the incident may have further repercussions down the road.
“In this day and age of active disinformation campaigns on social media, control of 50 million accounts is a big deal. Inside the walls of Facebook, there has got to be concern over any GDPR-related repercussions. This could be a real litmus test for the fledgling regulation,” said Erlin.