Nearly 50 million Facebook users may have had their accounts compromised, the social network announced on Friday following an attack on its computer network.
Facebook noticed the attack earlier this week and “informed law enforcement,” according to the company’s announcement. The attackers “exploited” a hole in Facebook’s code for “View As,” a feature that allows users to see their profiles from the point-of-view of someone else.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” the social network said. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Facebook said that the system vulnerability has been patched. The company is taking the “precautionary step” of resetting the access tokens for another 40 million accounts that may have been susceptible to the vulnerability. In total, about 90 million users will have to log back into Facebook on Friday where they will see a notification at the top of their News Feeds about the potential information breach.
While the investigation is still in its “early stages,” Facebook said it will be disabling the “View As” feature.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” Facebook added. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center.”
Shares of Facebook were down about 3 percent during midday trading on Friday.
The attack is the latest security headache for Facebook this year. Facebook was rocked by the Cambridge Analytica data leak in March, where the company revealed up to 87 million users had their profiles unwittingly compromised by the political data firm. And last month, the company booted hundreds of Russian and Iranian accounts for running misinformation campaigns.