Facebook says almost 50 million of its users were left exposed by a security flaw. The company said attackers were able to exploit a vulnerability in a feature known as “View As” to gain control of people’s accounts.
The breach was discovered on Tuesday, Facebook said, and it has informed police. Users that had potentially been affected were prompted to re-log-in on Friday. The company has confirmed to reporters that the breach would allow hackers to log in to other accounts that use Facebook’s system, of which there are many.
The firm would not say where in the world the 50 million users are, but it has informed Irish data regulators, where Facebook’s European subsidiary is based. The company has confirmed that Facebook founder Mark Zuckerberg and its chief operating officer Sheryl Sandberg were among the 50 million accounts affected.
Facebook’s “View As” function is a privacy feature that allows people to see what their own profile looks to other users, making it clear what information is viewable to their friends, friends of friends, or the public.
Attackers found multiple bugs in this feature that “allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts”, Mr Rosen explained. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he added.