Facebook Says Attack Potentially Exposed Data of 50 Million Users: This Is 'Very Serious'
"This is a very serious security issue and we’re taking it very seriously," Mark Zuckerberg said
If you attempted to log into your Facebook account this morning, only to discover you had to re-enter your password, you were far from alone.
Millions of users were forced to log out of their accounts Friday morning, just days after Facebook discovered an attack on its computer network that exposed the personal information of nearly 50 million of its users, CEO Mark Zuckerberg told reporters over a conference call.
“This is a very serious security issue and we’re taking it very seriously,” Zuckerberg, 34, said on Friday.
Earlier this week, Facebook engineers discovered attackers had exploited the “View As” feature on personal profiles, which lets users see how their page looks to other people (e.g., allowing them to see how their private profile may look to family and friends, as opposed to a stranger who is not in their network). By utilizing the vulnerability, which took advantage of “Access Tokens,” the attacker would be able to take command of an account and use it as if they were the owner.
Access tokens keep Facebook users logged in without having to input a password each time they access the app or website, Guy Rosen, VP of Product Management at Facebook explained.
“We have a major security effort at the company that hardens all of our surfaces,” Zuckerberg said, adding that the company will be hiring thousands of more employees to boost its security efforts. “I’m glad we found this. But it definitely is an issue that this happened in the first place.”
Facebook says it has fixed the issue and reported the attack to the FBI, but the investigation is ongoing and they do not know who the attackers were or where they originate from.
“Security is an arms race, and we’re continuing to improve our defenses,” said Zuckerberg. “This just underscores there are constant attacks from people who are trying to underscore accounts in our community.”
Because the exploit was related to access tokens, users do not have to change their password, the company said.
In addition to the 50 million people who were affected by the exploit, 40 million other users were logged out just for having used the “View As” option — which has now been temporarily suspended from profiles. Facebook said it is too early to say how the hackers intended to use the exploit or how much data they were able to access. More may be revealed as the investigation continues.
On Friday afternoon, Facebook shares tumbled nearly 3 percent following the revelations.
For the better part of two years, Zuckerberg dealt with the fallout stemming from the revelation that his platform was used by foreign agents to influence the 2016 presidential election.
In April, Zuckerberg appeared before Congress to answer questions from members of the Senate Judiciary and Commerce committees over Facebook’s reported misuse of user information.
“Across the board, we have a responsibility to not just build tools, but to make sure those tools are used for good,” Zuckerberg told lawmakers then. “It is clear now that we didn’t do enough to prevent these tools from being used for harm as well.”