Facebook said it discovered a security breach affecting nearly 50 million user accounts.
The social media giant on Friday said its engineering team found the security issue earlier this week, which stems from a change made to Facebook’s video uploading feature in July 2017.
Facebook chief executive Mark Zuckerberg said engineers discovered the breach on Tuesday, and patched it on Thursday night.
“We don’t know if any accounts were actually misused,” Zuckerberg said. “This is a serious issue.”
While the investigation is still in its early stages, the company said hackers exploited the “View As” feature on the service.
“It’s clear that attackers exploited a vulnerability in Facebook’s code that impacted View As, a feature that lets people see what their own profile looks like to someone else,” wrote Guy Rosen, vice president of product management at Facebook, in a blog post.
“This allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged into Facebook so they don’t need to re-enter their password every time they use the app.”
To deal with the issue, Facebook reset some logins – 90 million people have been logged out and will have to log in again. That includes anyone who has been subject to a View As lookup in the past year.
After they log back in, users will receive a notification at the top of their News Feed explaining what happened.
The View As feature will be temporarily turned off as they conduct a security review.
Facebook said it has taken steps to fix the security problem and alerted law enforcement but doesn’t know who is behind the attacks.
Facebook has more than two billion users worldwide. Following news of the security breach, the company’s shares slumped more than three percent.
The hack is the latest security headache for the tech behemoth, which has been dealing with political disinformation campaigns from Russia and elsewhere since 2016.
News broke early this year that a data analytics firm that once worked for US President Donald Trump‘s campaign, Cambridge Analytica, had gained access to personal data from millions of user profiles.
Then a congressional investigation found agents from Russia and other countries had been posting fake political ads since at least 2016. Facebook CEO Mark Zuckerberg appeared at a Congressional hearing over Facebook’s privacy policies in April.
Ed Mierzwinski, senior director of consumer advocacy group US PIRG, said the breach was “very troubling”.
“It’s yet another warning that Congress must not enact any national data security or data breach legislation that weakens current state privacy laws, preempts the rights of states to pass new laws that protect their consumers better, or denies their attorneys general rights to investigate violations of or enforce those laws,” he said in a statement.