An attack on Facebook exposed information on nearly 50 million of the social network’s users, the company announced Friday — and gave the attackers access to those users’ accounts with other sites and apps that they logged into using Facebook.
The attackers exploited a bug in a feature called “View as” that lets users see their Facebook page the way someone else would. The attackers were able to take over the accounts and use them exactly as if they were the account holders.
That would include posting or viewing information shared by any of that account’s friends. Facebook says no credit card information stored with the company was accessed.
Facebook (FB) said it does not know who the attackers were or where they were based. It also said it has already fixed the issue and informed the FBI and other law enforcement, as well as lawmakers and regulators.
It has also informed the Irish Data Protection Commission about the breach, a step required by Europe’s GDPR regulations. The commission said it received the notification, but expressed concern with its timing and lack of detail.
More than 90 million users were forcibly logged out of their accounts by Facebook and had to log back in on Friday for security reasons. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts forcibly logged out by Facebook