Facebook says it has discovered a security breach affecting nearly 50 million accounts, and that it’s not yet clear whether any information was accessed or any accounts were otherwise misused. The vulnerability that caused the breach was found Tuesday and was fixed on Thursday night, Facebook says. The company is working with the FBI and conducting an investigation, which is “still in its early stages,” the company said.
“We do not yet know if any of the accounts were actually misused,” Facebook CEO Mark Zuckerberg told reporters on Friday. “This is a really serious security issue, and we are taking it really seriously.” Facebook does not know who carried out the attacks or where they were based. They know the attackers attempted to access profile information, but not whether they succeeded; they do not yet have evidence that the attackers accessed private messages or posted to accounts.
The attack involved stealing “access tokens.” Facebook explains: “[A]ttackers exploited a vulnerability in Facebook’s code that impacted ‘View As‘, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”