Facebook has revealed a security breach which potentially allowed hackers to take over 50 million accounts.
The issue was discovered on 25 September and the social media giant said it had since taken steps to mitigate the breach and has alerted law enforcement.
Facebook said attackers stole Facebook access tokens through its “view as” feature, which they could then use to take over people’s accounts.
“View as” is a feature that allows users to see what their own profile looks like to someone else.
The access tokens of 50 million accounts have been reset and users of those accounts will have been made to log back into their accounts.
The same was taken with a further 40 million accounts as a precautionary measure and the “view as” feature has been disabled.
Users will not need to take any further action at this stage.
It is not known who is behind the attack.
STEPS TO TAKE
- 90 million accounts have been automatically logged out, but no one needs to change their passwords.
- If you are having difficulty logging back in – for example because of a forgotten password – you should visit Facebook’s help centre.
- If you have not been logged out automatically, but want to log out as a precaution, visit the “Security and Login“ section which lists all the places you are logged in to Facebook.
- Use the one-click option to log out of Facebook on all PCs and devices you may have accessed it on.
In a statement, Facebook said: “Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed.
“We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change.
“In addition, if we find more affected accounts, we will immediately reset their access tokens.”
Facebook shares fell 3 percent to $163.78 in afternoon trading.
A spokesman for the National Cyber Security Centre said: “We are investigating how this breach has affected people in the UK and advise on appropriate mitigation measures. Users should read the latest advice Facebook has published.
“Based on current information, we understand that Facebook have fixed the flaw by temporarily suspending the ‘view as’ feature.
“There is no evidence that people have to take action such as changing their passwords or deleting their profiles.
“However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”
Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy firm.
In 2013, Facebook disclosed a software flaw that exposed 6 million users’ phone numbers and email addresses to unauthorised viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.