Facebook hack: 50 million people's accounts exposed by major mistake in social network's code, company admits

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Facebook has suffered an attack that exposed 50 million people's personal accounts, the company has admitted.

A vulnerability in the social network's code meant that hackers could take over people's log-ins and see their most private information, the company said. It said that it was sorry the potential breach had occurred.

The issue related to the "view as" tool, which allows people to see their own profiles as they would look to other people. By exploiting that, hackers could steal the "access token" that keeps people's accounts safe and then break into them, Facebook said.

The company found the flaw on Tuesday and has only just begun its investigation, it said, meaning that it cannot say how the bug was used and who by. It did not say whether it knew who had been affected by the hack.

Anyone whose account was compromised is likely to be informed as Facebook continues its investigation. There is little that anyone can do apart from checking that an account does not appear to have been used by somebody else, and while it is good practise to change passwords regularly, that will not undo the effects of this attack.

Facebook said that law enforcement was informed and the bug had been patched. It had also completely turned off the "view as" feature for now and would reset those security codes so that anyone who broke in to an account would now be kicked out.

That will mean that some 90 million people – the 50 million people thought to be affected, as well as further 40 million who were subject to a "view as" request in the last year – will be kicked out of their accounts and will have to log back in. Having to do that does not necessarily mean that anyone has seen inside your account.

Facebook did suggest that more people could be found to have been potentially affected, and that it was continuing its investigation.

"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," Guy Rosen, its vice president of product management, wrote in a blogpost.

"We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details – and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens."

The attack came about because of a "complex interaction of multiple issues in our code", Facebook said. It gave few details about how it would have been exploited, beyond the fact that it relied on the "view as" feature and that it "stemmed from a change we made to our video uploading feature in July 2017" that affected that tool.

"People’s privacy and security is incredibly important, and we’re sorry this happened," Mr Rosen wrote in the post. "It’s why we’ve taken immediate action to secure these accounts and let users know what happened."

European data protection regulation means that Facebook is forced to make such potential breaches public as soon as they happen or face huge fines.

It is just the latest security issue to hit the site. In April, for instance, it said that malicious actors were using its search tool to harvest information about most of its two billion users.

And last month its former security chief warned that it was already too late to stop the site being used to interfere with the upcoming midterm elections.

Those warnings come soon after the company was embroiled in the Cambridge Analytica scandal. The academic at the heart of the scandal said that such data collection was "rife" and that the company was struggling to deal with the fallout from the affair.