Facebook announced that a security flaw allowed hackers to access nearly 50 million accounts.
The breach, which is the largest ever for the social media site, comes at a time when Facebook is still trying to recover from multiple controversies regarding its handling of users’ personal data.
The announcement pushed Facebook shares down about 1.1%.
“The investigation is still very early so we do not yet know if any of the accounts were actually misused,” said Facebook CEO Mark Zuckerberg. “This, of course, may change.”
â€¨The security flaw, which dates back to an update introduced last summer, allowed hackers to steal access tokes. This gave them the ability to use accounts as if they were the account holder – meaning they could access a person’s messages, photos, and apps.
Facebook discovered the flaw after it noticed a surge in user activity on September 16th.
“The bigger concern (and something we don’t know yet) is whether third party applications were impacted,” explains security expert Jake Williams. “Facebook offers a login service for third parties to allow users to log into their apps using Facebook. In other words, Facebook is providing the identity management for countless other sites and services. These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site.”
Another concern is that hackers will take advantage of the situation with phishing attacks. “With a security issues as high profile as this one, it’s likely that phishing attacks will swiftly follow urging recipients to change their Facebook passwords via an email and then directing them to a malicious phishing site,” said Oz Alashe, CEO of the cybersecurity firm CybSafe. “It’s important to be extra vigilant, to follow Facebook’s instructions on the site or app, but do not act on unsolicited emails unless you are able to verify the sender.”
Facebook claims it has fixed the vulnerability and reset the access tokens for all 50 million accounts plus an additional 40 million that may have been at risk. Those 90 million users have been logged out and will receive a security notice next time they access the site.
In the meantime, Facebook is working with the FBI to discover who was responsible for the attack. The company also said it would double its security team from 10,000 people to 20,000.
“Security is an arms race, and we’re continuing to improve our defenses,” said Zuckerberg. “This just underscores there are constant attacks from people who are trying to underscores accounts in our community.”