Facebook on Friday disclosed a security breach affecting nearly 50 million accounts, but the company is still determining the full scope of the attack.
The social network first learned of the breach when it noticed a spike in unusual user activity on Sept. 16. Following an investigation, Facebook uncovered the attack on Tuesday, Guy Rosen, VP of Product Management, told journalists in a press call.
The unknown hackers exploited three software vulnerabilities in Facebook’s code impacting the “View As” feature, which lets you see what your profile looks like to the public or a specific individual. By exploiting the bugs, the attackers stole Facebook access tokens for user accounts—aka “digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” Rosen explained.
With an access token, an attacker could take over your account and use it as if they were you. Any private messages you sent over Facebook could’ve been accessed. The company is also investigating the possibility that the hackers may have breached third-party apps and services linked to the affected Facebook accounts.
The social network has patched the vulnerabilities, notified law enforcement about the breach, and reset the access tokens of all impacted accounts. As a precaution, Facebook is resetting the tokens for another 40 million accounts “that have been subject to a ‘View As’ look-up in the last year.”
The company said there’s no evidence those other 40 million accounts have been compromised. But for now, Facebook is turning off the “View As” feature while it investigates the incident.
In total, around 90 million people will have to log back in the next time they try to access the platform. On a call with reporters Friday, Facebook executives said no actual passwords were taken, so a password reset is not necessary. No credit card information was affected, they added.
At this point, many questions remain: “Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen wrote. “We also don’t know who’s behind these attacks or where they’re based.”
However, the company has uncovered how the attack worked.
By exploiting the three bugs, a bad actor could use your Facebook account to steal the access tokens of anyone you’ve ever friended on the platform. With those tokens, hackers could then access their accounts and repeat the process, looting more and more tokens as they go.
It isn’t clear if the hackers exploited the software flaws before Sept. 16. But the exploited vulnerabilities are connected to a video-uploading function Facebook added in July 2017. Through Facebook’s ‘View As’ feature, the video-uploading function could be abused to generate an access token to your friend’s account, specifically, over posts wishing them a happy birthday.