Computer hackers this month stole the keys to nearly 50 million Facebook accounts using a year-old security hole in the company’s code, the social-media giant revealed Friday.
The origin and the purpose of the mass theft is unclear, but some or all of the pilfered “access tokens” were used to download the profile data of compromised users.
Access tokens are what allow a logged-in Facebook user to dispense with entering a password every time they revisit the site. The hackers had the ability to read private messages or post their own content, though Facebook said it hasn’t found evidence of the tokens being used for that.
“This is a really serious security issue and we’re taking it really seriously,” Facebook CEO Mark Zuckerberg said in a press call. “I think this underscores the attacks that our community and our service face, and the need to continue to invest heavily in security.”
The incident adds to ongoing Facebook controversies, including a year of revelations about the site’s role in spreading fake news, its use by Russian intelligence agents and trolls in the Kremlin’s 2016 election-interference campaign, and the acquisition of private profile data for up to 87 million users by the shady campaign consulting firm Cambridge Analytica.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook… are able to accumulate so much personal data about individual Americans without adequate security measures,” said Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, in a statement.
The hackers discovered a security hole at the intersection of three separate software bugs in various parts of Facebook’s massive codebase. One bug was in the “view-as” feature that allows users to verify their privacy settings by viewing their profile the way a friend would see it.
The hackers found that the view-as feature allowed them to look at other people’s Facebook profiles with the permissions of the profile’s owner instead of their own. They used that to steal the owner’s access token by way of a separate bug in the feature inviting users to upload a “Happy Birthday video” whenever a Facebook friend turns a year older.
The attack was detected when the hackers became too aggressive with their harvesting, using an automated script that spidered from one stolen account to the next through friend relationships. Facebook engineers noticed the spike in activity on September 16, but because of the complexity of the security hole, they did not figure out what was happening until last Tuesday, the company said.
Facebook notified law enforcement of the breach on Wednesday, and on Thursday the company revoked the access tokens for the 50 million compromised accounts, as well as for another 40 million users who had used the “view-as” feature.
“So far we haven’t seen that the access tokens were used to access private messages or posts,” said Zuckerberg, adding that the investigation has only just begun. The hackers did use the tokens to download victims’ basic profile information through the company’s API—data like names, ages and hometowns—for reasons that remain unclear.
“The reality here is we face constant attacks,” Zuckerberg said. “We need to do more to prevent this from happening in the first place.”
The security hole was opened in July 2017 when Facebook engineers extended the view-as feature to video uploads. The company wouldn’t comment on whether other attackers may have been using the vulnerability in the intervening 14 months.