Facebook said on Friday that an attack on its computer network had exposed the personal information of nearly 50 million users. The company said it discovered the breach this week. The attackers exploited a feature in Facebook’s code that allowed them to take over user accounts. Early Friday, Facebook forced more than 90 million users to log out of their accounts, a common safety measure taken when accounts have been compromised.
Facebook said it had fixed the vulnerability and notified law enforcement officials.
“Were taking it really seriously,” Mark Zuckerberg, the companys chief executive, said in a conference call with reporters. “Im glad we found this, but it definitely is an issue that this happened in the first place.”
Facebook said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack. Its investigation is still in its beginning stages, it said.
The attackers exploited two bugs in the sites “view as” feature, which allows users to view their own profiles as if they were someone else, Facebook said. The feature was built to give users more control over their privacy.
That was compounded by a flaw in Facebooks video-uploading program, a software feature that was introduced in July 2017, the company said. The flaw allowed the attackers to steal so-called access tokens — digital keys that allow access to an account.
It is not clear when the attack happened, but it appears to have occurred after the video-uploading program was introduced.
The attack was discovered as Facebook continued to contend with the aftermath of its role in a widespread Russian disinformation campaign during the 2016 presidential election and from the fallout of the Cambridge Analytica scandal, in which a British consulting firm improperly harvested the personal data of up to 87 million Facebook users. The company also faces the prospect of federal regulation amid questions about whether it has grown too powerful.