![This is why quitting Facebook is so hard](https://i2.cdn.turner.com/money/dam/assets/180329151153-facebook-app-logo-1024x576.jpg)
An attack on Facebook exposed information on nearly 50 million of the social network’s users and gave attackers access to the accounts of those users on other websites and apps they used Facebook to log in to, the company announced on Friday.
The attackers exploited a bug in the “View As” feature, which allows users to view their Facebook page like everyone else. An attacker is able to take over these accounts and use them like the account holder. This includes posting or viewing information shared by any friends of the account. Facebook said credit card information stored by the company was not accessed.
Facebook (FB) They said they did not know who the attackers were or where their base was. It also said it had resolved the issue and notified the FBI and other law enforcement as well as lawmakers and regulators. It has also notified the Irish Data Protection Commission of the breach, a step required by European GDPR regulations. The committee said it had received the notice but expressed concerns about its timing and lack of detail.
More than 90 million users were forced out of their accounts by Facebook and had to log back in on Friday for security reasons. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts that Facebook forcibly canceled.
Facebook said users don’t need to take any additional security precautions or reset their passwords. All logged-out users will receive a notification from Facebook about the issue, but as a precaution it won’t tell them whether they are among the 50 million or 40 million affected users.
Facebook’s Guy Rosen said in a follow-up call with reporters on Friday that the attackers were also able to access third-party services or websites accessed through the Facebook login, though it’s unclear whether they did so . It could also affect Instagram accounts that use the same login as Facebook, but Rosen said WhatsApp, also owned by Facebook, was not affected. A spokesman said it was the largest hack in Facebook’s history.
The company said it did not know whether the affected accounts were misused in any way or whether any user information was actually accessed. It has not been determined whether any specific locations or accounts were targeted. It turns off the “view as” feature that attackers exploit when investigating.
“As a rule of thumb, these types of breach notifications tend to get worse over time and as investigative information is shared with the public,” said Jessy Irwin, director of security at cybersecurity firm Tendermint. “About these (correlations) Not much is publicly available about how accounts were affected, but it appears to have impacted Facebook’s entire ecosystem more deeply than Cambridge Analytica.”
Facebook said the vulnerability was caused by three separate bugs and first appeared in July 2017 when the company made changes to its video upload functionality. The company first detected some unusual activity on September 16, 2018, with a spike in user visits to the site. The company launched an investigation and discovered the attack on Tuesday, September 25. The company notified law enforcement on Wednesday and on Thursday night. According to Facebook, it fixed the vulnerability and began resetting login tokens.
The attackers stole Facebook “access tokens,” which allow users to log into their Facebook accounts for an extended period of time so they don’t have to continue logging in. Facebook reset all 50 million tokens, as well as the tokens of an additional 40 million people who had used the “view as” feature last year as a “precautionary measure.” The reset also unlinked accounts such as Instagram and Oculus, both of which belong to Facebook, and users need to relink these accounts.
CEO Mark Zuckerberg told reporters shortly afterward: “The reality is that we are constantly facing attacks from people who want to take over accounts or steal information… We need to do more, right from the start. Just prevent this from happening.” after the announcement.
The announcement is the latest for the company, which has been plagued by security breaches, privacy concerns and misinformation in recent years. Facebook said it would invest heavily in security in the future and increase the number of security staff from 10,000 to 20,000.
“Security is an arms race, and we’re continuing to improve our defenses,” Zuckerberg said.
——CNN’s Doni O’Sullivan, Laurie Siegel and Sarah O’Brien also contributed reporting.
CNN Business (San Francisco) First published September 28, 2018: 12:58pm ET