50 Million Facebook Accounts Affected in Massive Security Breach

Photo: Jeff Chiu (AP)

An estimated 50 million Facebook user profiles were affected by a security breach, the company confirmed in a blog post today. The breach could have allowed attackers to take over the accounts of affected users, as well as login into a vast number of external sites using Facebook’s single sign-on feature. The full extent of the attack, however, remains unknown.

The breach, which the company says it discovered on Tuesday, “exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else.” Currently the company’s internal investigation “is still in its early stages” and no indication has been given as to who might be behind the attack or what user data (if any) was exfiltrated.


Login tokens have been reset for the 50 million accounts directly affected, as well as an additional 40 million accounts that the “view as” feature was used on within the past year. The vulnerability allowing the exploit, according to Facebook, “stemmed from a change we made to our video uploading feature in July 2017.”

News of the security breach comes at a particularly vulnerable time for Facebook, which is currently facing federal investigation and regulation over its role in the Cambridge Analytica scandal. Early this year, it was revealed that the firm misused data from some 87 million Facebook users. Cambridge Analytica shut down in May in the wake of the privacy debacle.

In an email, Federal Trade Commissioner Rohit Chopra expressed his alarm at the breach: “These companies have a staggering amount of information about Americans. Breaches don’t just violate our privacy, they create enormous risks for our economy and national security,” he said.

Chopra added, “The cost of inaction is growing and we need answers.”

In a press conference shortly after Facebook made the blog post, CEO Mark Zuckerberg described the breach as an “attack” and mentioned that those responsible had attempted to query Facebook’s database for personal information about the those whose profiles had their login tokens taken.


The “view as” feature has since been turned off, and Facebook’s VP of Product, Guy Rosen, stated that the company is working alongside law enforcement and the FBI to gather more information. Responding to questions from reporters, Rosen said, “this is clearly a breach of trust and we take this very seriously.” In a second conference call, Rosen clarified that these stolen tokens could have been used to log in to third-party services that authenticate through Facebook.

In a statement, Sen. Mark Warner, co-chair of the Senate Cybersecurity Caucus, said the breach was “deeply concerning,” calling for a full investigation at once. “Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” he said.


Calling the breach “another sobering indicator,” Warner said it was time for Congress to “step up and take action.” “As I’ve said before—the era of the Wild West in social media is over,” he added.

Update 1:55pm ET: Added statement from Sen. Mark Warner, Democrat of Virginia.

Update 4:55pm ET: Added statement from FTC Commissioner Rohit Chopra

Update 5:18pm ET: Added additional information from Facebook’s second media briefing


Share This Story

About the author

Bryan Menegus

Senior reporter. Tech + labor /// bgmwrites@gmail.com Keybase: keybase.io/bryangm Securedrop: http://gmg7jl25ony5g7ws.onion/

PGP Fingerprint: 1905 9104 D967 2EB7 C3F5 68F9 9108 1434 C917 C1B9
Dell Cameron

Privacy, security, tech policy | Got a tip? Email: dell@gizmodo.com | Send me encrypted texts using Signal: (202)556-0846

PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD