Navigate

Facebook says 50M user accounts affected by security breach

By MATT O’BRIEN and MAE ANDERSON Associated Press | Saturday, September 29, 2018, 12:05 a.m.
Click here and log in to view this story
Subscribe Now Choose a package that suits your preferences.
Start Free Account Get access to 7 premium stories every month for FREE!
Already a Subscriber? Current print subscriber? Activate your complimentary Digital account.

NEW YORK — Facebook reported a major security breach in which 50 million user accounts were accessed by unknown attackers.

The attackers gained the ability to “seize control” of those accounts, Facebook said, by stealing digital keys the company uses to keep people logged in. Facebook has logged out owners of the 50 million affected accounts — plus another 40 million who were vulnerable to the attack. Users don’t need to change their Facebook passwords, it said.

Facebook said it doesn’t know who was behind the attacks or where they’re based. In a call with reporters on Friday, CEO Mark Zuckerberg said that attackers would have had the ability to view private messages or post on someone’s account, but there’s no sign that they did.

“We do not yet know if any of the accounts were actually misused,” Zuckerberg said.

Facebook shares fell $4.38, or 2.6 percent, to close at $164.46 on Friday.

The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues. So far, though, none of that has significantly shaken the confidence of the company’s 2 billion global users.

The latest attack involved bugs in Facebook’s “View As” feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal the digital keys, known as “access tokens,” from the accounts of people whose profiles were plugged into the “View As” feature — and then moved along from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.

One of the bugs was more than a year old and affected how the “View As” feature interacted with Facebook’s video uploading feature for posting “happy birthday” messages, said Guy Rosen, Facebook’s vice president of product management.

But it wasn’t until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.

“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Rosen said in a call with reporters.

Leave a Comment