SAN FRANCISCO – Facebook says the accounts of nearly 50 million users were breached in what was the largest-ever security incident of its kind at the giant social network, delivering another blow to public confidence in the embattled company.
The extent of the massive hack – how many Facebook users’ were affected and how much Facebook users’ personal information was compromised – is not yet known.
Security researchers suspect the breach affected even more people than Facebook estimated. Facebook would not say if the number of breached Facebook accounts is likely to grow. The unidentified attackers did gain access at least to basic demographic information such as gender, hometown, name or birthday that people include in their Facebook profile.
Facebook says attackers exploited a feature in its code that allowed them to commandeer users’ accounts. Those accounts included Facebook CEO Mark Zuckerberg and his second-in-command, Sheryl Sandberg.
A spike in traffic triggered an internal investigation on Sept. 16. The breach was discovered Tuesday afternoon and the vulnerability was fixed Thursday night, the company said.
The disclosure of another in a series of security lapses has already brought political heat. Federal Trade Commission Commissioner Rohit Chopra said late Friday that he was alarmed by the Facebook breach. The FTC and other agencies are already investigating Facebook after it revealed political targeting firm Cambridge Analytica accessed the accounts of 87 million users without their consent.
“These companies have a staggering amount of information about Americans. Breaches don’t just violate our privacy, they create enormous risks for our economy and national security,” Chopra said in a statement to USA TODAY. “The cost of inaction is growing and we need answers.”
Facebook says it has not identified the attackers nor does it know the origin of the September attack. The Silicon Valley company notified the FBI on Wednesday.
“We are still in the early phase of investigating this,” Facebook CEO Mark Zuckerberg told reporters Friday. “We do not yet know if any of the accounts were actually misused.”
Zuckerberg says Facebook has invested heavily in security measures but will step up efforts to lock down Facebook users’ accounts.
“The reality here is we face constant attacks,” he said. “We need to do more to prevent this from happening in the first place.”
More than 90 million of Facebook’s users were forced to log out of their accounts Friday morning as a security measure. They will be notified why at the top of their News Feed, the Facebook CEO said.
How the attack worked
Attackers exploited a vulnerability in Facebook’s code that affected “View As,” a feature that lets people see what their own profile looks like to someone else. The feature was built to give users more control over their privacy. Three software bugs in Facebook’s code connected to this feature allowed attackers to steal Facebook access tokens they could then use to take over people’s accounts.
These access tokens are like digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use Facebook.
How it worked: Once the attackers had access to a token for one account, call it Jane’s, they could then use “View As” to see what another account, say Tom’s, could see about Jane’s account. The vulnerability enabled the attackers to get an access token for Tom’s account as well, and the attack spread from there. Facebook said it has turned off the “View As” feature as a security precaution.
The attackers could have also gained access to Facebook users’ accounts on other apps and websites they access with Facebook Login, the feature that allows you to log in to other online services with your Facebook credentials, the company said.
Facebook has reset the tokens of nearly 50 million accounts that were affected and, as a precaution, it has also reset the tokens for another 40 million accounts that have used “View As” in the past year. Resetting the tokens logged the affected Facebook users out of the service and should also have logged those users out of third-party apps and websites they access through Facebook Login, too.
“So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. But this, of course, may change as we learn more,” Zuckerberg said.
When these 90 million people log back into Facebook or any apps that use Facebook login, they will be notified at the top of their News Feed, Guy Rosen, vice president of product management, said.
Facebook says there’s no need for users to reset their passwords. But security experts recommend they do it anyway.
Calls for investigation
The breach marks the latest privacy mishap for Facebook, which has been hammered for the Cambridge Analytica scandal and the unchecked spread of Russian propaganda during and after the 2016 presidential election.
Confidence in the giant social network used by more than 2 billion people around the world has been shaken by the troubling revelations. Another two billion people use Facebook messaging app WhatsApp and Facebook-owned Instagram.
“This is clearly a breach of trust, and we take this very seriously. We are working with lawmakers and regulators to let them know what happened,” Rosen told reporters.
Even before Friday’s disclosure, Facebook was ensnared in multiple investigations, including a Securities and Exchange Commission inquiry into the company’s statements about the leak of millions of people’s data to Cambridge Analytica.
Such a massive breach is likely to trigger more calls for oversight of Facebook and other tech giants. The Irish Data Protection Commission complained Friday about the lack of detail in Facebook’s initial report. The UK Information Commissioner’s Office said it planned to investigate.
Democratic Senator Mark Warner, the vice chairman of the Senate Intelligence Committee, called for a swift and public probe into the breach.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Warner said in a statement. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”
The FTC on Friday had no comment on whether it was investigating Facebook over this latest breach.
Forrester analyst Jeff Pollard says the Facebook breach illustrates the perils of handing so much sensitive data over to a single company. A critical part of warding off future attacks will be Facebook limiting access to users’ data, he said.
“The fact that a breach at one company can impact tens of millions of users is troubling. Attackers go where the data is, and that has made Facebook an obvious target,” he said in a statement. “The main concern here is that one feature of the platform allowed attackers to harvest the data of tens of millions of users.”