Nearly 50 million users have been affected by a security breach that enabled hackers to take over their Facebook accounts — and to gain access to those users’ accounts on third-party sites and apps, the social media giant announced Friday.
The new breach comes as Facebook strives to convince its more than 2 billion users that it can be trusted. It is grappling with the fallout from the revelations that British consulting firm Cambridge Analytica harvested the personal data of up to 87 million users, as well as that it unwittingly played host to a massive Russian misinformation campaign during the 2016 U.S. elections. And on Thursday, Facebook confirmed that it had been using phone numbers provided by users for two-factor authentication as fodder for ad targeting.
The new vulnerability was discovered Tuesday afternoon and has been patched, Facebook said. But there may be unresolved effects.
A multitude of third parties — including major retailers, ride-hailing services, airline-ticket sellers and dating sites — allow people to sign in by using their Facebook logins. A hacker who took over a person’s Facebook account via the breach could also gain access to that person’s other accounts.
No password or credit card data were stolen directly from Facebook, Guy Rosen, Facebook vice president of product management, told reporters on a phone call Friday.
But Rosen could not rule out the possibility that hackers had made purchases using saved payment methods. He also said it was unclear whether the attackers had accessed private messages or posts and to what degree they had used hacked Facebook accounts. And he could not say what hackers had seen or done with users’ third-party accounts.
“This is a really serious security issue, and we’re taking it really seriously,” Facebook Chief Executive Mark Zuckerberg told reporters. “We need to be more proactive about defending our community.”
The company said in an online post that hackers “exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens” — which gave attackers full access to user profiles, as if the hackers were those users.
Access tokens are like digital keys that keep people logged in to the social network as they move between apps and websites, so they don’t have to enter their login info every time they open Facebook or use third-party services that rely on their Facebook logins.
Facebook said it has reset the tokens of all affected users and, as a precaution, the tokens of 40 million additional users who had interacted with the View As feature in the year since the vulnerability was introduced. They will have to log back in next time they use the service.
The company said it is in the early stages of its investigation into the issue, and has reported the breach to the FBI and to Irish law enforcement officials. Rosen said the company has not determined when the vulnerability was first exploited or who orchestrated the attack, where it came from or whether it had targeted a particular subsection of Facebook’s users.
Based on the rapid speed and scale of the attack, Rosen said it likely involved some degree of automation.
Facebook discovered the attack after detecting an unusual leap in user activity Sept. 16, and its investigation revealed the nature of the attack this Tuesday, Rosen said. He said that on Wednesday, Facebook notified law enforcement agencies and began patching the vulnerabilities, finishing Friday morning.
The Irish Data Protection Commission confirmed that Facebook had notified it of the breach, adding in an email that “the notification lacks detail and the [commission] is concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users.”
Rosen said the attackers exploited a vulnerability in Facebook’s code that took advantage of three separate bugs that were introduced over a year ago, when engineers updated the video upload feature in July 2017, and hinged on reminders to wish friends a happy birthday.
The first bug caused the video uploader to create an access token — strange, but by itself not a major risk, since users already had to be logged in to use the video uploader, which meant that they already had a token on their device.
The second bug is where birthdays enter the picture. The View As function let users see their profile pages as if they were someone else, in order to determine whether their privacy settings were to their liking. Typically, the video uploader wouldn’t appear in View As mode, but because of the second bug, the video uploader did appear when the page being viewed contained notifications from Facebook urging the user to send birthday messages to friends.
The third bug turned those minor errors into a major security issue. If a user viewed their own profile page as if they were a particular Facebook friend — say, an old roommate — and the video uploader appeared on the page, the uploader would spit out an access token not for the user's own account, but for the ex-roommate's. That token provided full access to the ex-roommate's Facebook account.
Once the hackers gained access to one account, they could then repeat the process with that account’s friends, over and over.
Facebook stock fell 2.6% on Friday to $164.46 a share.