An estimated 50 million user profiles were affected by a security breach, Facebook confirmed in a blog post today. The breach allowed attackers to take over the accounts of affected users.
The breach, which the company says it discovered on Tuesday, “exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else.” Currently the company’s internal investigation “is still in its early stages” and no indication has been given as to who might be behind the attack or what user data (if any) was exfiltrated.
Login tokens have been reset for the 50 million accounts directly affected, as well as an additional 40 million accounts that the “view as” feature was used on within the past year. The vulnerability allowing the exploit, according to Facebook, “stemmed from a change we made to our video uploading feature in July 2017.”
News of the security breach comes at a particularly vulnerable time for Facebook, which is currently facing government investigation and regulation over its role in the Cambridge Analytica scandal. Early this year, it was revealed that the firm misused data from some 87 million Facebook users. Cambridge Analytica shut down in May in the wake of the privacy debacle.
In a press conference shortly after Facebook made the blog post, CEO Mark Zuckerberg described the breach as an “attack” and mentioned that those responsible had attempted to query Facebook’s database for personal information about the those whose profiles had their login tokens taken.
The “view as” feature has since been turned off, and Facebook’s VP of Product, Guy Rosen, stated that the company is working alongside law enforcement and the FBI to gather more information. Responding to questions from reporters, Rosen said, “this is clearly a breach of trust and we take this very seriously.”