In an article on its blog, Facebook’s vice president of product management, Guy Rosen, revealed that the social media giant’s in-house security team discovered a security breach “affecting almost 50 million accounts”.
According to Mr Rosen, attackers targeted Facebook’s “View As” tool, which lets users see their own profile as it appears to other people.
Mr Rosen said that Facebook has fixed the vulnerability that led to the breach and reset access tokens for the 50 million affected account holders plus another 40 million who have used the feature within the past year.
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook login. After they have logged back in, people will get a notification at the top of their news feed explaining what happened,” he said.
The application has been temporarily switched off while a broader security review takes place.
In a subsequent post on the site, Facebook’s vice president of engineering, security and privacy, Pedro Canahuati, revealed there were actually three “distinct bugs” to have impacted the social platform.
One of these was specifically with the View As feature, another affected a new version of its video uploader, while the third was related to both used together.
“It was the combination of these three bugs that became a vulnerability: when using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up,” Mr Canahuati explained.
“That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user.”
Hack a wake-up call for business
Responding to the Facebook attack, Sanjay Aurora – Asia Pacific managing director of cyber security firm Darktrace – said that if a technology giant with the size, resources and technical know-how of Facebook can be attacked, then businesses of all size and shape are fair game.
“If Facebook can be breached, we have to assume that all organisations either have been breached or will be soon,” he said.
“The revelations coming out of Facebook today should be a wake-up call… abiding by the status quo of security is simply not an option.
“Every single organisation needs to take a hard look at how they are protecting their sensitive data, where they are investing their money, and what technologies they are using for defence and response.”
According to Mr Aurora, the Facebook attack must have been “complex, sophisticated and stealthy”, with lots of moving parts. That means it is possible to identify “anomalies” for further investigation and thwart would-be criminals from gaining unauthorised entry to a business and its data.