Facebook announced on Friday that it has reset the access to 90 million user accounts after finding a security breach, which will force the affected users to log back into their accounts. The breach allowed hackers to access other people’s accounts and directly affected 50 million of those accounts.
Facebook CEO Mark Zuckerberg stated in a press call “We patched the issue last night, We do not yet know whether any private information was accessed.”
Read about the Security Breach Facebook confirms security breach on over 50 million accounts!
The company said that it doesn’t yet know whether the breach was used by anyone to access any personal information, including private messages, from those 50 million Facebook users without their knowledge. But It did confirm that hackers were able to access profile information, including age, gender, and place of residence, but that they didn’t have access to any credit card information.
Facebook said that the company has engaged FBI and Security agencies to help investigate the breach.
Facebook observed that the spark of the hack was a Facebook feature that allows users to view their own Facebook page the way other users with different access levels like friends, family, or unknown users — would see it. This “view as” feature could apparently be exploited to also steal access tokens to take over third-party accounts.
“We’re temporarily turning off the ‘View As’ feature while we conduct a thorough security review,” Rosen wrote Friday. Users who have been affected by the breach will have to log back into their Facebook account, and the company said that it would post a note atop their newsfeed explaining the situation.
Rosen explained during Friday’s call that the company inadvertently introduced three bugs when it updated changes to its video uploader in July of 2017. However, the company didn’t discover that these bugs could be an entry to hack its system until this week. It informed law enforcement about it on Wednesday and disabled the vulnerability late Thursday.
The company decided to disable access tokens for another 40 million users as a precautionary measure because it found that the profiles of those users were browsed with the “view as” feature enabled. However, this could have also been a legitimate use of the feature.