Facebook has confirmed that 50 million of its users were exposed due to a security flaw that allowed hackers to extract personal information from those accounts.
The social networking company discovered the breach on Tuesday and then informed the police to carry out an investigation.
Users who have been affected were automatically logged out of their accounts on Friday and had to log in again to use Facebook. If your Facebook app or Facebook on web browser prompted you to log in recently, even though you didn’t do a manual log out, then it means your account was also among the ones that were exposed in the hack.
According to the company, the attackers were able to exploit a code flaw in Facebook’s “View As” feature.
Guy Rosen, the vice-president of product management at Facebook said that the flaw has been fixed for now and that the 50 million accounts, in addition to another 40 million, had been reset “as a precautionary step”.
The social media firm also told reports that the hackers will be able to access breached accounts on other websites too. Facebook credentials are used to easily log in to other websites. So it means other websites such as Daraz, Patari, or Disqus may also be affected.
What Data Has Been Stolen?
A company spokesperson said that they have not yet determined which accounts were misused, or which ones were used to extract information. He also confirmed that the personal profiles of Mark Zuckerberg and Sheryl Sandberg – Facebook’s chief operating officer – were also breached.
Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.
The “View As” Exploit
Facebook’s “View As” feature allows you to see what your profile looks like to other users. It shows you your profile from the perspective of your Facebook friends, mutual friends, or public so you can see which info is shown to whom.
The hackers were able to find vulnerabilities and bugs in this function, it “allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts”, according to Guy Rosen.
He explained that,
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
This massive breach comes at a time when Facebook is already under the radar of lawmakers throughout the world for privacy concerns. The firm’s main business model uses data taken from its users, but it has been failing to prove its capability to protect public data.
Facebook still has not revealed whether anyone within the company will be held accountable for the breach, or why these bugs were not fixed in time.