Facebook on Friday revealed a security breach that affected the accounts of as many as 50 million users.
A statement from Guy Rosen, the vice-president of Product Management, confirmed that Facebook engineers discovered the breach on September 25, with the attackers exploiting a vulnerability in Facebook's code that affected the 'View As' feature.
The feature allows users to view their profile the way it appears to others. The breach allowed the attackers to steal Facebook 'access tokens', which essentially are like digital keys and keeps a user logged in, eliminating the need to log in every time the app is used. The access tokens can be used to hijack other accounts.
The statement further said that Facebook's investigation is still in the early stages, although they have rectified the vulnerability and alerted law enforcement authorities. They have also reset the access tokens of the 50 million profiles that were affected and, as a precaution, are also resetting the access token for a further 40 million accounts that have gone through a 'View As' look-up in the last year.
"View As" has been temporarily disabled as a security review is being conducted.
The vulnerability in the code originates from a change that was made in July last year to their video uploading feature that affects 'View As'.
The statement added that the hackers have not yet been identified, and it is yet to be ascertained whether information from the 50 million accounts was accessed or misused.
"We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security. We're working hard to better understand these details - and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens," the statement read.
"There's no need for anyone to change their passwords. But people who are having trouble logging back into Facebook - for example because they've forgotten their password - should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the "Security and Login" section in settings," the statement added.