Facebook breach exposed 50m accounts
Facebook says hackers stole digital login codes allowing them to take over nearly 50 million user accounts in its worst security breach ever, adding to what has been a difficult year for the company's reputation.
The social media giant, which has more than 2.2 billion monthly users, says it has yet to determine whether the attacker misused any accounts or stole private information.
It also has not identified the attacker's location or whether specific victims were targeted. Its initial review suggests the attack was broad in nature.
Chief executive Mark Zuckerberg described the incident as "really serious" in a conference call with reporters on Friday.
His account was affected along with that of chief operating officer Sheryl Sandberg, a spokeswoman said.
Shares in Facebook fell 2.6 per cent on Friday, weighing on major Wall Street stock indexes.
Facebook made headlines earlier this year after profile details from 87 million users was improperly accessed by political data firm Cambridge Analytica.
The disclosure has prompted government inquiries into the company's privacy practices across the world and fuelled a "#deleteFacebook" social movement among consumers.
US lawmakers said on Friday the hack might boost calls for data privacy legislation.
Federal Trade Commission Commissioner Rohit Chopra on Twitter said "I want answers" with a link to a Reuters story on the breach.
Facebook's latest vulnerability had existed since July 2017 but the company first identified it on Tuesday after spotting a "fairly large" increase in use of its "view as" privacy feature on September 16, executives said.
"View as" allows users to verify their privacy settings by seeing what their own profile looks like to someone else.
The flaw inadvertently gave the devices of "view as" users the wrong digital code, which, like a browser cookie, keeps users signed in to a service across multiple visits.
That code could allow the person using "view as" to post and browse from someone else's Facebook account, potentially exposing private messages, photos and posts.
The attacker also could have gained full access to victims' accounts on any third-party app or website where they had logged in with Facebook credentials.
Facebook fixed the issue on Thursday. It also notified the FBI, Department of Homeland Security, congressional aides and the Data Protection Commission in Ireland, where the company has European headquarters.
Facebook reset the digital keys of the affected accounts and as a precaution temporarily disabled "view as" and reset those keys for another 40 million that have been looked up through "view as" during the past year.
About 90 million people would have to log back into Facebook or any of their apps that use a Facebook login, the company said.
Back to Breaking News