A statement posted by Mark Zuckerberg on Facebook revealed that the company discovered a bug that allowed hackers to gain access to 50 million user accounts. The social media site has over 2 billion users worldwide. The hack is the latest setback for the social media giant amid the raising concerns over privacy on Facebook.
According to the company’s blog post, through ‘view as’ feature of Facebook, which is used to check one’s profile as someone else, hackers had access to tokens which Facebook uses to keep people logged in. By possessing these tokens, hackers were able to log into any account without using a password.
While the company says they’ve patched the bug responsible for the exploit, they are not able to find who was responsible for the attack or whether the hacked accounts were misused or not. To deal with the issue, Facebook had to reset the login session of 90 million people who have been logged out automatically by the company.
“On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook,” wrote Zuckerberg. “We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.”
Although the hack didn’t affect any user passwords, hackers can see private information and post updates through the hacked accounts. A bigger concern, however, is whether the 3rd party apps that use Facebook login were affected. If that be the case, hackers could use the access token to gain access to various applications and websites that use Facebook login.
The company has said that while users don’t need to change their passwords, they’re advised to check their logged in session in the settings page to look for suspicious activity. In addition to logging out 90 million people, the company has also disabled the ‘view as’ feature as of now. The company also says that no credit card information was compromised.
The company has reported the matter to the law enforcement and began their own investigation to identify the hacker or hackers.