Facebook announced that it had uncovered a new security flaw that allowed hackers to take control of as many as 50 million user accounts. The company is still in the early stages of investigating this latest security flaw and it announced that law enforcement has been notified.
“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” the company said in a statement. “We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”
The flaw stems from the way access tokens are handled. Access tokens are digital keys that allows users to remain logged into their Facebook accounts without having to re-enter their passwords every time. However, due to the way Facebook’s code handles the “View As” feature, the company said that hackers may have improperly taken over people’s account. The View As feature allows Facebook users to view their profile as if they are browsing the network as someone else.
Facebook said that the bug has been patched, and to be cautious, it had reset the access tokens from 50 million user accounts. Additionally, it also reset the access tokens from another 40 million Facebook accounts that had accessed the View As feature within the last year. A total of 90 million people were forcibly logged out of their Facebook accounts as a precaution, the company said.
When users log back in, they will be greeted with a notification in their News Feed with details about the attack. Facebook said that it is temporarily turning off the View As feature while it investigates this incident.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” the company said. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details.”
This is the latest security scandal to hit Facebook. The company was also involved in the Cambridge Analytica data scandal earlier in 2018. In that incident, the data of as many as 90 million users were affected.