Facebook has disclosed a security incident affecting between 50 and 90 million user accounts.
On Tuesday (25 September), the social network’s engineering team discovered that an attacker had exploited a vulnerability in the code behind a feature called “view as”, which lets users see how their profiles appear to others.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook’s vice president of product management Guy Rosen said in a statement posted on Facebook’s website on Friday (28 September).
The company said its investigation was still in its early stages, but claims to have fixed the vulnerability and informed law enforcement. It has also reset the access tokens of “the almost 50 million accounts we know were affected” and 40 million more that were “subject to a ‘view as’ look-up in the last year”. This involved automatically logging users out of their account. Facebook is disabling the “view as” feature until its investigation has concluded.
It is not yet clear if the attackers misused the accounts or gained access to any information, Facebook said. It does not know who is behind the attack or where they are based.
If you've been logged out of your account and asked to sign back in, it’s because we've discovered a security issue and are taking immediate action to protect people on Facebook. Learn more https://t.co/XLcHGYFBu2
— Facebook (@facebook) September 28, 2018
“This attack exploited the complex interaction of multiple issues in our code,” Rosen added. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
In a Facebook post, CEO Mark Zuckerberg said the company faces “constant attacks from people who want to take over accounts or steal information”.
“While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
It is not yet clear how many UK users have been caught up in the breach. The Information Commissioner’s Office and National Cyber Security Centre (NCSC) said they were investigating the impact of the breach in the UK.
“There is no evidence that people have to take action such as changing their passwords or deleting their profiles,” a spokesperson for NCSC said in a statement. “However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”
Under the EU General Data Protection Regulation, Facebook could be fined up to four per cent of its annual global turnover. Its total revenue amounted to $40.65bn (£31.16bn) in 2017, meaning the company could be liable to a fine of up to $1.62bn (£1.24bn).
Chris Morales, head of security analytics at Vectra, commended Facebook for quickly identifying and responding to the vulnerability, but added “it is unfortunate for users, and also unfortunate for Facebook at a time when they are under intense scrutiny along with the recent departure of Facebook’s [chief security officer], Alex Stamos”.