we need to do more to prevent this from happening in the first place," CEO Mark Zuckerberg said during a call with reporters shortly after the announcement. "The reality here is we face constant attacks from people who want to take over accounts or steal information.
Facebook reset all 50 million tokens, as well as tokens for an additional 40 million people who had used the "View as" feature in the past year as a "precautionary step." The reset also unlinked accounts like Instagram and Oculus, both of which are owned by Facebook, which users will need to relink. The attackers stole Facebook "access tokens" which keep a person logged into their Facebook account over long periods of time so they don't have to keep signing in. On Wednesday it notified law enforcement and on Thursday evening it fixed the vulnerability and began resetting login tokens, according to Facebook. It launched an investigation and uncovered this attack on Tuesday, September 25. The company first detected some unusual activity - a spike in user access to the site - on September 16, 2018. "There's not much that is public about how those accounts are impacted, but this seems to go much deeper into Facebook's entire ecosystem than Cambridge Analytica did."įacebook says the vulnerability is the result of three distinct bugs, and originally appeared in July 2017 when the company made a change to a video uploading feature. "From experience, breach notifications like this always tend to get worse as time goes on and information from investigations is shared with the public," said Jessy Irwin, the head of security at cybersecurity firm Tendermint. It has turned off the "View As" feature that the attackers exploited while it investigates. It has not determined if any specific locations or accounts were targeted. The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It's the largest hack ever for Facebook, a spokesperson said. It could have also impacted Instagram accounts that use the same login as Facebook, but Rosen said WhatsApp, which is also owned by Facebook, was not impacted. The attackers would have also been able to access third-party services or sites accessed with a Facebook login, Facebook's Guy Rosen said in a follow-up call with reporters on Friday, though it is not yet clear if they did so. All logged out users will receive a notification about the issue from Facebook, but it won't tell them if they were in the group of 50 million impacted or 40 million included as a precaution. Users do not need to take any additional security precautions or reset their passwords, said Facebook. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts forcibly logged out by Facebook. More than 90 million users were forcibly logged out of their accounts by Facebook and had to log back in on Friday for security reasons. The commission said it received the notification, but expressed concern with its timing and lack of detail.
It has also informed the Irish Data Protection Commission about the breach, a step required by Europe's GDPR regulations. It also said it has already fixed the issue and informed the FBI and other law enforcement, as well as lawmakers and regulators. Facebook ( FB) said it does not know who the attackers were or where they were based.