Facebook disclosed a security attack on its network that exposed the data of 50 million people.
Outside actors exploited a vulnerability in the social network’s “View As” feature that allowed them to access user profiles and take security tokens, giving them control over the accounts.
Facebook uses access tokens — bits of code that stand in for authentication credentials, but aren’t actually logins — so people don’t need to log in repeatedly across various web sites and pages.
The infiltration was discovered by the social giant on Tuesday.
Facebook contacted law enforcement earlier in the week. “People’s privacy and security is incredibly important, and we’re sorry this happened,” said Guy Rosen, Facebook vice president of product management, in a company blog post. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened.” The company’s stock dropped 3 percent following the revelation of this latest breach.
The security failure follows several recently high-profile attacks against numerous companies, including GovPayNow’s breach earlier this month, which exposed 14 million records on government employees, and last year’s Equifax attack that compromised the identities and credit records of 145 million people.
Facebook does not yet know precisely how much data is at stake or who attacked its platform, but traces the security hole back to a July 2017 update on its video upload feature. The tech company says that the flaw has been fixed now, and because the theft involves tokens and not actual logins, people don’t need to change their passwords. To be on the safe side, Facebook logged out 90 million accounts, requiring those users to authenticate again to continue using the network.
The news couldn’t come at a worse time for Facebook, which is still reeling from the Cambridge Analytica scandal that compromised 87 million accounts. The company, which has been in the Congressional crosshairs over its handling of privacy matters and approach to security, has been under a looming threat of regulation and oversight.