Facebook has found a security “issue” in its "View As" feature that led to an attack on almost 50 million accounts and potentially affecting as many as 90 million users in total, the social media giant announced Friday.
"Attackers exploited a vulnerability in Facebook’s code that impacted 'View As,' a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook's vice president of product management Guy Rosen wrote in an emailed statement.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app," he added.
The profile information exposed in the “View As” profile feature includes a user’s name, gender and hometown.
"We’ve fixed the vulnerability and informed law enforcement," Rosen said. “We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security.”
About 90 million Facebook users who keep the site open on their browsers or mobile phone apps were prompted to log in again on Friday morning as a result of the discovery, the company said.
“We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As' look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” Rosen said. “After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
The announcement comes at an increasingly troubled period for Facebook. On Monday night, the CEO and CTO of Instagram quit abruptly, taking the company and Wall Street by surprise, amid reported tensions with Facebook CEO and chairman Mark Zuckerberg.
As of Friday, those key positions at the photo sharing app -– which is central to Facebook’s growth -- remained unfilled.
Meanwhile, the company has faced increasing scrutiny from both Congress and European regulators about its data security and privacy issues. The company continues to fight “fake news” scandals associated with the 2016 U.S. presidential election and human rights campaigns around the world.
In addition, the fallout of 87 million users’ data being compromised by British firm Cambridge Analytica continues to pose problems for the company.
The latest security flaw is just another reason for Facebook to reset its leadership structure, said Trillium Asset Management’s Jonas Kron. Trillium owns 52,000 shares of the social media company and has been using its position to advocate for Zuckerberg to step down as chairman of the board and focus on his CEO duties.
“The hits just keep on coming,” Kron told ABC News. “The company needs to get control of the broader narrative, and that’s more than Zuckerberg can handle. This is again, time for an independent chair.”
In response to the attack, Facebook has temporarily turned off the “View As” feature while it conducts a thorough security review, according to the statement.
The company said it discovered the hack on Tuesday afternoon. In a Friday conference call with reporters after the announcement, Rosen and Zuckerberg said Facebook had noticed a spike in activity in increased user access to the site.
The glitch was fixed on Thursday night, the executives said. The company notified the FBI and the Irish Data Protection Commission because of European Union General Data Protection Regulation (GDPR) issues.
Facebook said it did not know who the hacker was, or how the data has been accessed, but it was a very “large scale” and complex attack on three discrete bugs in the company’s security systems. Users do not need to change passwords, and credit card information was not affected, the executives said.
"This is a very serious security issue, and we're taking it very seriously," Zuckerberg said.