Data of 50 million Facebook users have been exposed following a massive security breach by unknown hackers, its CEO Mark Zuckerberg said, amid fears that a significant number of the accounts affected could be from India.
The precautionary measure taken by the social media giant has impacted another 40 million users, Zuckerberg said Friday. In a conference call with reporters, he did not give a country-wise of the user accounts hit by the data breach. However, a significant number of affected users are expected to be from India, given that the company has the maximum 270 million users in the country. It has 2 billion global users.
“On Tuesday afternoon, our engineering team found an attack affecting up to 50 million accounts on Facebook. The attackers exploited a vulnerability in the code of the View As feature which is a privacy feature that lets people see what their Facebook profile would look like to another person,” Zuckerberg said. “The vulnerability allowed the attackers to steal Facebook access tokens – which are the equivalent of a digital key – which the attackers could have used to take over or access people’s accounts,” he said.
Stressing that the investigation into the incident was still at a nascent stage, Zuckerberg said the social media giant does not know if any of the accounts were misused or who was behind the cyberattacks. “So far, our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts.” He said Facebook has taken steps to patch the security flaw to prevent this attacker – or any other attacker – from being able to steal additional access tokens. Facebook has invalidated access tokens for the accounts, causing those users to be logged out.
“These people will now have to log back in to access their accounts again and we will also notify these people in a message on top of their News Feed about what happened when they log back in,” the chief executive officer said. In addition to getting in touch with law enforcement agencies, including the FBI, Zuckerberg said Facebook is logging out all users who used the “View As” feature since the flaw was introduced last year as a precautionary measure. “This will require another 40 million people – or more – to log back into their accounts,” he said.
“This is a really serious security issue. And we’re taking it really seriously. We have a major security effort at the company that hardens all of our surfaces, and investigates issues like this,” he said in response to a question. “In this case I’m glad that we found this and that we were able to fix the vulnerability and secure the accounts. But it definitely is an issue that this happened in the first place,” he said. Gary Rosen, vice president pf product management at Facebook, said in all 90 million users would have to log back in. “After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” he said. Facebook said users don’t need to change their passwords.