Facebook’s engineering team has discovered a security weakness that allowed hackers to access as many as 50 million accounts, the company announced in a blog post on Friday.
“We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” Facebook Vice President of Product Management Guy Rosen wrote in the statement.
The company became aware of the attack after it noticed a spike in user activity on Sep. 16, CNBC News reported.
According to Rosen, hackers “exploited a vulnerability in Facebook’s code” with regards to the platform’s “View As” feature.
The feature allows users to view their own page from the perspective of another user, he explained.
The security weakness “allowed [the hackers] to steal Facebook access tokens which they could then use to take over people’s accounts,” Rosen said.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he explained.
Rosen said the attack was made possible due to a change Facebook made to its video uploading feature in July of 2017.
The hackers “exploited the complex interaction of multiple issues in our code” impacting the “View As” feature, then used the weakness to steal more access tokens from other accounts, he said.
Facebook does not know who carried out the attacks or where they were carried out.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen said.
In the meantime, Facebook has notified law enforcement about the breech and repaired the vulnerability that allowed the hackers to access accounts.
The social media platform said it has also “reset the access tokens” of nearly 50 million accounts that they were able to determine had been “affected” by the attack.
“We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year,” Rosen said.
The company has temporarily shut down the “View As” feature pending a security review.
Approximately 90 million Facebook users will be required to log back into their accounts due to the access token change, but password resets aren’t necessary, according to the company.
“After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” Rosen wrote.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” he added. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
According to CNBC News, Facebook is working to increase the number of employees who work on improving security from 10,000 to 20,000.
"Security is an arms race, and we're continuing to improve our defenses," Facebook CEO Mark Zuckerberg told CNBC News. "This just underscores there are constant attacks from people who are trying to underscore accounts in our community."
Zuckerberg also addressed the issue in a Facebook post on his personal page on Friday.
“While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place,” he wrote.
Facebook recently reported having 1.47 billion daily active users around the world, KXAS reported.