Facebook can’t seem to get out of its own way when it comes to security. The biggest security issue for the social network was the Cambridge Analytica fiasco that gave the company access to information on 87 million users. In June, Facebook had another security failure when private posts of 14 million users were shared publicly. Today we learn of yet another security breach that resulted in the theft of personal details on 50 million users.
Facebook became aware of the breach on the afternoon of Tuesday, September 25 and said that the attack took advantage of the Facebook code for "View As". The feature lets people see their profile as other users would see it, but an exploit that the attackers used allowed them to steal Facebook access tokens that could be used to take over accounts. Access tokens are likened to digital keys that keep people logged into Facebook to prevent them from having to enter a password each time they come to the site.
Facebook notes that it has already acted on the breach by fixing the vulnerability and has informed law enforcement about the attack. Tokens on the almost 50 million accounts known to have been affected were reset, and Facebook reset tokens for another 40 million accounts that had been used with "View As" in the last year. This means that about 90 million Facebook users will have to log in again the next time they visit the website.
The accounts that must log back in will have a notification at the top of the screen that explains what happened. Facebook is turning off the "View As" feature while a security review is performed. The social giant has also given insight into what exactly happened, saying that the attack exploited a "complex interaction of multiple issues in our code." These changes stemmed from a setting the social giant changed in July 2017 related to video uploading that just so happened to impact "View As."
The investigation into the breach is underway now, and Facebook notes that it hasn’t determined if the accounts were misused or if the information was accessed. Despite the breach and potential to access accounts, Facebook indicates no reason for people to reset passwords. Facebook also notes that you can log out of your account on all devices via the "Security and Login" section in settings.