Facebook revealed on Friday that a "security issue" discovered on Tuesday affected 50 million accounts. Those users, along with 40 million other accounts that might have been affected, are being asked to log back into Facebook as well as apps that use Facebook Login.
The attackers stole Facebook access tokens, which they could then have used to take over people’s accounts, according to the company. "It’s important to say — the attackers could use the account as if they are the account holder," said Guy Rosen, Facebook's vice president of product management.
Facebook CEO Mark Zuckerberg said in a call with reporters on Friday that the vulnerability, which he described as "a serious security issue," was patched Thursday night. He added that the company's investigation was "still very early" but showed the attackers haven't accessed any private messages, posts, or credit card information, though some public data such as names, gender, and hometown could have been accessed. "We don’t know how accounts were misused so far," he said.
As an extra precaution, Zuckerberg said, even though the company believes it has addressed the security vulnerability, Facebook would be temporarily taking down the "View As" feature, which allowed users to see what their own profile looked like to someone else. "We [want to] make sure there no other security issues or vulnerabilities there," he said.
Facebook has informed law enforcement to help identify the attackers, but it does not know who is behind the attack or whether the attack only affected US users. "We haven't yet been able to determine whether there was specific targeting," Rosen told reporters. "It does seem broad."
Asked whether it was possible that the attackers were sophisticated actors or even a nation-state, Rosen said, "Our investigation is early, and it’s hard to determine who was behind this, and we may never know."
"This is a complex interaction of multiple parts that had to interact together," he added. "It did meet a certain level, in order for the attacker to run this attack in a way that not only gets access to tokens but then gets further access."
Facebook said it has also notified the Irish Data Protection Commission, since the breach has implications for the General Data Protection Regulation (GDPR) — a sweeping directive that went into effect in the European Union in June, which seeks to give EU residents more control over their personal data and to clarify the responsibilities for online services with European users, including Facebook.
"We are going to continue investigating and as we find more, we will share what we know,” Rosen said.
On a second conference call with reporters Friday afternoon, Facebook revealed new details about the extent of the attack, confirming that third-party apps were involved. According to Rosen, the attacker — whom Facebook hasn't publicly identified — accessed the View As feature and exploited three bugs to get Facebook login access tokens for their friends' accounts. Then, the attacker was able to take the access token and pivot, log in as the next user, and access to their friends. Facebook believes a single attacker or hacker group accessed all affected accounts.
In plain English, this means is that the hack gave the attacker access to all other connected third-party apps that users set up with Facebook Login.
On the call, Facebook executives stressed it is focusing first on impacted users.
There was no clarification on what, if any, third party apps were affected or what data might have been accessed on third party apps. Facebook told reporters that users with affected Facebook accounts that are linked to Oculus or Instagram accounts will need to unlink them and re-link them. The company confirmed that no WhatsApp users were impacted.
Here's Facebook's full post about the attack:
On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Here is the action we have already taken. First, we’ve fixed the vulnerability and informed law enforcement.
Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.
People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the “Security and Login” section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.
Charlie Warzel contributed additional reporting to this story.