- Almost 50 million Facebook accounts were compromised following a "security issue," the social network announced Friday in a statement by Guy Rosen, VP of Product Management. Facebook's engineering team discovered the incident on Tuesday afternoon and it took "immediate action" to disclose, inform law enforcement and update security measures.
- Facebook is still investigating the incident, but attackers exploited a flaw in the platform's "View As" feature, according to the announcement. The function allows a Facebook user to preview their profile on the site, seeing what it looks like to someone else. By using the feature, the attackers were able to steal access tokens, which act as "digital keys" for users to remain logged in and to avoid entering a password every time they log onto Facebook.
- In response, Facebook is resetting the "access tokens" of 90 million accounts — 40 million of which weren't compromised, but were reset as a precaution, according ot the announcement. The company is also temporarily turning off the "View As" option.
Facebook is still investigating the incident, but it does not yet know if the "accounts were misused or any information accessed," Rosen said. The company is also looking into who is responsible for the attack or if there are more accounts impacted.
In the scheme of Facebook's expansive user base, the number of compromised accounts is relatively small. In the second quarter of 2018, Facebook recorded 2.2 billion users, according to Statista. The incident affected 2% of the platform's user base.
The issue, however, is the highly sensitive nature of the data hosted on the social network. Facebook holds personal details, connections and timelines of users of all different backgrounds. If combined with data from past breaches at other organizations, malicious actors could recreate full profiles on an individual, a perfect storm for identity theft.
Facebook has been on a campaign to regain users' and the public's trust following the Cambridge Analytica revelations earlier this year. There was also fallout between the company's executive leadership, causing the departure of former CISO Alex Stamos in August.
Last year, Stamos said he didn't feel like the social network had "caught up" with its security responsibility. Tech companies are quick to create an environment where engineers can customize and experiment, but that can create room for security shortcomings.
With broad efforts to increase privacy, the public has undergone an awakening period with data use, moving past a more trusting mentality. As a result, organizations have to ramp up efforts to assess what is personal data and take measures to protect it. And more companies will have to engineer more controls into solutions and products.