Image shows Facebook at Ad.Tech London 2010 Credit: Derzsi Elekes Andor / Wikimedia Commons
A security breach affected accounts of 50 million Facebook users, the social media giant said Friday while stating that it was not clear if the attacker had misused any accounts.
The breach prompted Facebook to log out 40 million people from their accounts. The Facebook it has fixed the issue and is investigating the security breach.
The attacker exploited a vulnerability in feature named “View As” which allows Facebook users to see how their page looks like to others, company said.
“We patched the security vulnerability to prevent this attacker or any other from being able to steal additional access tokens. And we invalidated the access tokens for the accounts of the 50 million people who were affected – causing them to be logged out,” Facebook founder Mark Zuckerberg said in a post.
“These people will have to log back in to access their accounts again. We will also notify these people in a message on top of their News Feed about what happened when they log back in.”
As a precautionary measure, he said, the platform has temporarily taken down the feature “View As.”
“We do not currently have any evidence that suggests these accounts have been compromised, but we’re taking this step as a precautionary measure,” Zuckerberg wrote.
Guy Rosen, VP of Product Management at Facebook explained the issue in a blog.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”