Facebook hack: 50 million people's accounts exposed by major mistake in social network's code, company admits
Anyone affected is unlikely to know about it
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Facebook has suffered an attack that exposed 50 million people's personal accounts, the company has admitted.
A vulnerability in the social network's code meant that hackers could take over people's log-ins and see their most private information, the company said. It said that it was sorry the potential breach had occurred.
The issue related to the "view as" tool, which allows people to see their own profiles as they would look to other people. By exploiting that, hackers could steal the "access token" that keeps people's accounts safe and then break into them, Facebook said.
The company found the flaw on Tuesday and has only just begun its investigation, it said, meaning that it cannot say how the bug was used and who by. It did not say whether it knew who had been affected by the hack.
Anyone whose account was compromised is likely to be informed as Facebook continues its investigation. There is little that anyone can do apart from checking that an account does not appear to have been used by somebody else, and while it is good practise to change passwords regularly, that will not undo the effects of this attack.
Facebook said that law enforcement was informed and the bug had been patched. It had also completely turned off the "view as" feature for now and would reset those security codes so that anyone who broke in to an account would now be kicked out.
That will mean that some 90 million people – the 50 million people thought to be affected, as well as further 40 million who were subject to a "view as" request in the last year – will be kicked out of their accounts and will have to log back in. Having to do that does not necessarily mean that anyone has seen inside your account.
Facebook did suggest that more people could be found to have been potentially affected, and that it was continuing its investigation.
"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," Guy Rosen, its vice president of product management, wrote in a blogpost.
"We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details – and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens."
The attack came about because of a "complex interaction of multiple issues in our code", Facebook said. It gave few details about how it would have been exploited, beyond the fact that it relied on the "view as" feature and that it "stemmed from a change we made to our video uploading feature in July 2017" that affected that tool.
"People’s privacy and security is incredibly important, and we’re sorry this happened," Mr Rosen wrote in the post. "It’s why we’ve taken immediate action to secure these accounts and let users know what happened."
European data protection regulation means that Facebook is forced to make such potential breaches public as soon as they happen or face huge fines.
It is just the latest security issue to hit the site. In April, for instance, it said that malicious actors were using its search tool to harvest information about most of its two billion users.
And last month its former security chief warned that it was already too late to stop the site being used to interfere with the upcoming midterm elections.
Those warnings come soon after the company was embroiled in the Cambridge Analytica scandal. The academic at the heart of the scandal said that such data collection was "rife" and that the company was struggling to deal with the fallout from the affair.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments