On Friday, Facebook revealed that a hacker exploited a bug in the company’s code to gain access to up to 50 million user accounts. Facebook says the investigation of the hack is in the early stages.
“It’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else,” Guy Rosen, Facebook’s vice president of product management, said in the blog post.
“View As” allows users to see how their profile appears to other users. You can view your profile as another user to see, for example, if a certain photo or status update appears when they browse your profile page.
According to Facebook, passwords were not leaked in the hack and do not need to be changed.
However, user access tokens were affected. These tokens allow users to stay logged into their account as they use their browser. With an access token, a hacker wouldn’t learn your password, but they would gain access into your Facebook account.
In a call with press Friday afternoon, Rosen explained that even though the attacker had access to users’ access tokens, Facebook’s investigation revealed that certain private information was safe. “Access tokens were not used to access private messages,” Rosen said. “We can also confirm no credit card information was leaked.”
As a countermeasure to the attack, Facebook has logged out all 50 million users who may have been susceptible to the attack. If you’ve been logged out of your account, chances are your account was affected. Additionally, the company has logged out another 40 million users as well. These users were subjected to a “View As” search within the last year.
The year 2018 has been a tough one for Facebook, between congressional hearings and the whistle-blowing of the vast amounts of personal information collected by Cambridge Analytica. This recent hack, however, is markedly different from the data obtained by Cambridge Analytica. While the Sept. 25 breach involved hackers forcing their way into users’ accounts, the data Cambridge Analytica obtained from users was done so within the bounds of Facebook’s rules at the time. According to Facebook, users offered their consent in the case of Cambridge Analytica.
Until Facebook completes its investigation, it’s unclear how much damage the September Facebook attack has done.
“Security is an arms race, but we’re continuing to improve our defenses,” Facebook CEO Mark Zuckerberg said in a press call Friday. “This is going to be an ongoing effort. We’re going to need to keep focusing on this over time.”