Up to 50 million Facebook users were left exposed by a security flaw according to Facebook.
The company discovered a breach earlier this week and found that attackers had exploited a feature in Facebook’s code which allowed them to take over user accounts. Facebook said that the flaw was fixed and law enforcement officials had been notified.
The attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed the attackers to steal the access tokens, the equivalent of digital keys which would not require a user to re-enter their password every time they used the app.
Facebook has reset the access tokens of the almost 50 million accounts they knew were affected to protect their security, as well as took the precautionary step of resetting the access tokens for another 40 million accounts that have been subject to a “View As” last year. The “View As” feature has been turned of until a security review is conducted.
More than 90 million of Facebook’s users were forced to log out of their accounts on Friday morning.
The company has started an investigation and said that it was too early to know the origin or identity of the attackers. The company has neither fully assessed the scope of the attack.