An estimated 50 million Facebook user profiles were affected by a security breach, the company confirmed in a blog post today. The breach could have allowed attackers to take over the accounts of affected users, as well as login into a vast number of external sites using Facebook’s single sign-on feature. The full extent of the attack, however, remains unknown.
The breach, which the company says it discovered on Tuesday, “exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else.” Currently the company’s internal investigation “is still in its early stages” and no indication has been given as to who might be behind the attack or what user data (if any) was exfiltrated.
Login tokens have been reset for the 50 million accounts directly affected, as well as an additional 40 million accounts that the “view as” feature was used on within the past year. The vulnerability allowing the exploit, according to Facebook, “stemmed from a change we made to our video uploading feature in July 2017.”
News of the security breach comes at a particularly vulnerable time for Facebook, which is currently facing federal investigation and regulation over its role in the Cambridge Analytica scandal. Early this year, it was revealed that the firm misused data from some 87 million Facebook users. Cambridge Analytica shut down in May in the wake of the privacy debacle.
In an email, Federal Trade Commissioner Rohit Chopra expressed his alarm at the breach: “These companies have a staggering amount of information about Americans. Breaches don’t just violate our privacy, they create enormous risks for our economy and national security,” he said.
Chopra added, “The cost of inaction is growing and we need answers.”
In a press conference shortly after Facebook made the blog post, CEO Mark Zuckerberg described the breach as an “attack” and mentioned that those responsible had attempted to query Facebook’s database for personal information about the those whose profiles had their login tokens taken.
The “view as” feature has since been turned off, and Facebook’s VP of Product, Guy Rosen, stated that the company is working alongside law enforcement and the FBI to gather more information. Responding to questions from reporters, Rosen said, “this is clearly a breach of trust and we take this very seriously.” In a second conference call, Rosen clarified that these stolen tokens could have been used to log in to third-party services that authenticate through Facebook.
In a statement, Sen. Mark Warner, co-chair of the Senate Cybersecurity Caucus, said the breach was “deeply concerning,” calling for a full investigation at once. “Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” he said.
Calling the breach “another sobering indicator,” Warner said it was time for Congress to “step up and take action.” “As I’ve said before—the era of the Wild West in social media is over,” he added.
Update 1:55pm ET: Added statement from Sen. Mark Warner, Democrat of Virginia.
Update 4:55pm ET: Added statement from FTC Commissioner Rohit Chopra
Update 5:18pm ET: Added additional information from Facebook’s second media briefing