A Facebook data breach that occurred earlier this week has affected almost 50 million users, the social media site announced Friday.
“We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” Vice President of Product Management Guy Rosen wrote in a blog post.
Rosen said the Facebook data breach was discovered by the company’s engineering team on Tuesday afternoon.
While Rosen said the investigation is still in its early stages, “it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else.”
The Facebook data breach hackers were able to obtain access tokens that gave them control over users’ accounts. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” Rosen explained.
RELATED: Facebook not protecting content moderators from mental trauma: lawsuit
Is my account safe after the Facebook data breach?
Rosen said that after the Facebook data breach was discovered, the company fixed the vulnerability and alerted law enforcement.
Facebook then reset access tokens on the nearly 50 million accounts “we know were affected to protect their security,” he added.
The company also took precautions and reset access tokens on 40 million other accounts that “have been subject to a ‘View As’ lookup in the last year,” Rosen continued.
What that means now is about 90 million users will have to log back into Facebook — or any apps that use Facebook Longin.
“After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” Rosen said.
In the wake of the Facebook data breach, the “View As” feature has been turned off while the social network does a “thorough security review.”
Facebook said it does not yet know who was behind the attacks or where they’re located and will reset access tokens immediately if they find additional affected accounts.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” Rosen wrote. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords.”
RELATED: Facebook is giving users a trustworthy rating to help prevent fake news
An expert weighs in on Facebook data breach
“Attacks on large sites with the goal of stealing account data is perpetual. Features provided for ‘ease of use’ like security tokens to ‘stay logged in’ or to provide limited access to other apps/users become vulnerable touch points for hackers,” Vijay Pullur, CEO of cybersecurity company ThumbSignIn, told Metro. “It is clear the future of security is in relying on ‘true identity’ by marrying physical possession of a device and digital access. Even though vulnerabilities on these sites exist, the user gets notified of breaches immediately or, even better, their accounts cannot be accessed at all through the use of biometrics, which grant permissions on a device in physical possession.”
