Facebook has announced that it discovered a breach in its network on September 25, in which attackers succeeded in stealing access tokens when users switched to a public profile using the ‘View As’ feature.
Nearly 50 million of the more than two billion active Facebook accounts were affected.
Access tokens are digital keys used to keep users logged in after entering their username and password.
Attackers were able to take over user accounts using the access tokens – but it’s still not clear whether in fact user data has yet been misused.
Facebook CEO Mark Zuckerberg told media on a conference call the initial investigation does not suggest that these access tokens were used to access any private messages, posts, or to post anything to user accounts, according to ZDNet.
The bug that allowed hackers to exploit the vulnerability has since been fixed.
The company has reset the access tokens on all of the affected user accounts, Facebook said, in addition to another 40 million accounts subject to a ‘View As’ link in the past 12 months.
The ‘View As’ feature has been disabled for now, while a security review is under way.
The company has notified law enforcement, and says anyone affected by the reset will need to log back in to their Facebook account or related apps.
“I Think this underscores the attack that our community and our service face,” Zuckerberg said, “and the need to keep on investing heavily in security and being more proactive about protecting our community.”
NOTE: If you are a Facebook user, here’s how to find out if your account was affected: Go to your Facebook page. If you don’t need to log in, then your account was not affected in this breach. If, on the other hand, you discovered that you are logged out, your account may indeed have been breached. You will see a notice explaining the situation when you log back in.