A security breach at Facebook has affected nearly 50 million of the social media platform’s users, Facebook said Friday.
Facebook discovered the breach on Tuesday, informed law enforcement on Thursday and is cooperating with the FBI, Facebook vice president of product management Guy Rosen told reporters on a call Friday afternoon. The company has also informed the Irish Data Protection Commission.
The full extent of the breach is not yet known, but Rosen said attackers tried to access users’ personal information—like their name, sex and hometown—and that they would have been able to access Facebook accounts and act as the account holders.
Facebook has not yet identified the attackers or determined where the attack originated from. Rosen said Facebook “may never know” who was behind the attack, which he described as a sophisticated exploitation of three bugs in Facebook’s code.
According to Facebook, attackers exploited a Facebook feature called View As that lets users see what their profiles look like to other people on the platform. Those attackers were able to use the bugs to steal access tokens, which keep users logged into their Facebook accounts so they do not need to re-enter their passwords each time they access Facebook.
The hackers used bugs in Facebook’s View As feature along with an additional bug in a video uploading feature that encouraged Facebook users to wish their friends a happy birthday in order to steal access tokens.
The full extent of the breach isn’t known, and it’s unclear how long the 50 million affected users had their accounts compromised. An update to Facebook’s video uploading feature released in July 2017 was the entry point for the hackers, Facebook said, but Rosen said in a call with reporters that the company was made aware of the vulnerabilities with a spike in traffic on September 16, 2018.
In response to the breach, the company has temporarily disabled the View As feature and is conducting a security review. Every Facebook user who has used View As—about 90 million Facebook users in total—will be required to log back in to the website as a precautionary measure. The 50 million affected users will be required to log back in and will receive a notification at the top of their screen informing them of the breach.
If any of the 50 million affected account holders used their Facebook credentials to log into other services, like Instagram, those peripheral accounts were also affected by the breach, Rosen said.
“The reality here is we face constant attacks from people who want to take over accounts or steal information,” Facebook CEO Mark Zuckerberg said on the call. But, he added, “we need to do more to prevent this from happening in the first place.”
The hack comes as Facebook is under withering scrutiny for how it handles and protects the personal data of its more than 2 billion monthly users, beginning with a Russian disinformation campaign during the lead-up to the 2016 presidential election and heightening further with the Cambridge Analytica scandal in March. Facebook is already the subject of a number of federal investigations, and Zuckerberg and Facebook COO Sheryl Sandberg have appeared before lawmakers to defend and explain their company’s data collection practices.
Sen. Mark Warner, the ranking Democrat on the Senate Intelligence Committee who is pushing for tighter regulation, said in a statement Friday that the news of the breach was “deeply concerning.”
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Warner said. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over.”
Facebook has made a number of changes to its platform and ran a global ad campaign in an effort to rebuild trust with users, and it is lobbying for federal privacy regulations. But the security breach comes at an already low point for the company. In a survey conducted in July, U.S. consumers said they largely did not trust Facebook with their personal data.
In an interview with Adweek in early September, Facebook’s global head of marketing solutions, Carolyn Everson, said rebuilding trust with the public was the company’s “total focus.”
The investigation into the security breach is ongoing. Facebook said it would provide more updates as more information becomes available.
Editor’s note: This has been updated to reflect Facebook’s second media call, at 5pm ET.