Facebook said Friday that hackers had stolen information that could have allowed them to take over 50 million user accounts, in the latest mishap for the social media company, which has spent months struggling to regain the confidence of policymakers and the public.
The company said that as many as 90 million Facebook users — out of a total of 2.2 billion — would have to log back into their accounts as a result of the breach. Notifications will appear at the top of the Facebook news feed for the 50 million users who were directly affected, executives said on a call with reporters.
The hackers were able to gain access to profile information, such as users’ names, hometowns and genders, Facebook said. It is possible they could have had access to more information, but Facebook said its investigation is in the early stages. No credit card information was exposed, Facebook executives said, and so far there is no evidence the attackers sought to access private messages or post fraudulent messages from the accounts.
“This is a serious issue and we’re committed to addressing it,” said Facebook chief executive Mark Zuckerberg. “This underscores that there are constant attacks from people who are trying to take over accounts or steal information from people in our community.”
Facebook discovered the breach Tuesday after noticing a spike in user activity on Sept. 16, which prompted engineers to investigate further. They soon found three interlocking bugs on Facebook’s website that attackers had been using to gain access to accounts.
The attackers exploited Facebook’s systems through a flaw in the company’s “View As” feature, the company said, which allows a Facebook user to view his own profile as somebody else might see it.
Embedded in the “View As” feature was a video up-loader that was incorrectly generating security tokens — pieces of code that, under normal circumstances, are designed to let a user remain logged in even after navigating away from Facebook’s website.
The incident prompted Facebook to disable the “View As” feature for the time being, and users are not being asked to change their passwords. The company has not determined who is responsible for the attack.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” Facebook said in a blog post. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
The company said that the security issue was patched Thursday night.
The disclosure adds to a brutal year for Facebook. News broke early this year that Cambridge Analytica, a data analytics firm once employed by Donald Trump’s presidential campaign, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016.
Zuckerberg and his top lieutenants have been summoned repeatedly to Capitol Hill to answer for their company’s privacy policies and its role in spreading misinformation and hate speech online.
Sen. Mark Warner, D-Va., the ranking member of the Senate Intelligence Committee, called the breach “deeply concerning” and called for a full investigation.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” said Warner. “As I’ve said before — the era of the Wild West in social media is over.”
Other law makers on Wednesday grilled representatives from Google, Twitter and a number of telecom companies on their approach to user privacy, in some cases demanding commitments to concrete proposals such as a requirement that companies disclose data breaches within 72 hours of discovery. The companies largely balked at discussing specifics, instead pledging to work with the Senate Commerce Committee to craft a comprehensive national privacy law.
Meanwhile, tech companies such as Facebook face growing scrutiny by state and federal law enforcement who are exploring whether to invoke antitrust law against some of the industry’s practices. The Federal Trade Commission has held a series of hearings on the issue, and the Justice Department this week met with numerous state attorneys general to discuss Silicon Valley’s handling of user data.
Facebook on Wednesday notified federal authorities as well as European data security officials of the security incident, but on Friday the company declined to say whether it has reached out to other law enforcement agencies.
Information for this article was contributed by Matt O’Brien and Mae Anderson of The Associated Press.
Facebook discovered the breach Tuesday after noticing a spike in user activity on Sept. 16, which prompted engineers to investigate further. They soon found three interlocking bugs on Facebook’s website that attackers had been using to gain access to accounts.