×
You will be redirected back to your article in seconds

Facebook Resets Access to 90 Million Accounts Following Security Breach

Facebook has reset the access to 90 million user accounts after finding a security breach, forcing the affected users to log back into their accounts, the company announced Friday. The breach allowed hackers to access other people’s accounts, and directly affected 50 million of those accounts.

“We patched the issue last night,” Facebook CEO Mark Zuckerberg said on a press call Friday. “We do not yet know whether any private information was accessed.” 

The company said that it doesn’t yet know whether the breach was used by anyone to access any personal information, including private messages, from those 50 million Facebook users without their knowledge. It did confirm that hackers were able to access profile information, including age, gender, and place of residence, but that they didn’t have access to any credit card information.

Facebook clarified during a second call with media Friday afternoon that the breach also potentially gave hackers access to third-party apps and websites that use Facebook’s login, including the company’s own Messenger and Instagram apps. Users who find themselves unable to log into third-party apps with their Facebook accounts may have to disconnect those apps from their account, and then reconnect them to regain access.

Facebook said that it was working with the FBI and other law enforcement agencies to help investigate the breach.

“We also don’t know who’s behind these attacks or where they’re based,” Facebook’s VP of product management Guy Rosen wrote in a blog post. “We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.”

At the center of the hack was a Facebook feature that allows users to view their own Facebook page the way other users with different access levels — friends, family, or unknown users — would see it. This “view as” feature could apparently be exploited to also steal access tokens to take over third-party accounts.

“We’re temporarily turning off the ‘View As’ feature while we conduct a thorough security review,” Rosen wrote Friday. Users who have been affected by the breach will have to log back into their Facebook account, and the company said that it would post a note atop of their newsfeed explaining the situation.

Rosen explained during Friday’s call that the company inadvertently introduced three bugs when it updated changes to its video uploader in July of 2017. However, the company didn’t discover that these bugs could be used to hack its system until this week. It informed law enforcement about it on Wednesday, and disabled the vulnerability late Thursday.

The company decided to disable access tokens for another 40 million users as a precautionary measure because it found that the profiles of those users were browsed with the “view as” feature enabled. However, this could have also been a legitimate use of the feature.

Facebook does not yet know whether the hack was initiated by nation-state actors, but Rosen said Friday that the 50 million users targeted were seemingly a broad slice of Facebook’s users. The company did notify European authorities about the breach, something that it is required to do under Europe’s new privacy laws if European users were affected.

“The reality is, we face constant attacks,” Zuckerberg said during Friday’s call. He added that he was happy that this particular breach was uncovered, but that the company had to step up its security efforts going forward. “We need to prevent this from happening in the first place.”

Update: 2:42pm: This post was updated with additional information on the data breach.

POPULAR ON VARIETY:

More Digital

  • USA Today Mobile Apps Get Oscars

    USA Today Launches Oscars AR Experience to Highlight Work of Costume Designers (EXCLUSIVE)

    USA Today is getting ready for the Academy Awards with an augmented reality (AR) experience dedicated to the work of the costume designers on some of the Oscar-nominated movies. The experience, which went live in USA Today’s Android and iOS app Monday, presents wardrobe from 6 movies in augmented reality, including costumes worn on “Mary [...]

  • Amazon Prime

    Amazon Prime India Greenlights ‘Bandits’ Music Series

    Amazon Prime Video India has greenlit original series “Bandish Bandits.” The show is a musical created by Still and Still Media Collective. The series will follow an Indian classical musician bound by tradition and a pop star whose performance skills are greater than her talent. A bandish is a term used to describe a musical [...]

  • Alibaba Buys 8% Stake in Chinese

    Alibaba Buys 8% Stake in Chinese Video Platform Bilibili

    Alibaba has purchased an 8% stake in the Chinese online video platform Bilibili, the official Xinhua news agency reported. Bilibili is one of China’s top video streaming and entertainment platforms, with about 92 million monthly active users and 450 million page-views per day. Founded in 2009, it was listed on the NASDAQ last March. Alibaba’s [...]

  • Clevver-Logo

    Hearst Magazines Buys Clevver's Pop-Culture YouTube Channels After Defy's Demise

    Hearst Magazines has snapped up Clevver, a network of female-skewing lifestyle and pop-culture news YouTube channels that had been owned by now-defunct Defy Media. Clevver was left homeless after Defy’s sudden shutdown in November; its principals said at the time they were looking for a new home. Hearst Magazines sees a digital fit with Clevver’s [...]

  • "Brother" -- Episode 201-- Pictured (l-r):

    CBS Interactive's Marc DeBevoise on Streaming Boom, Content Strategy, and Apple

    Not everyone wants or needs to be Netflix to succeed in the streaming space. And not everyone sees Apple’s enigmatic new service as a threat. Even as rival streaming services offer gobs of content, CBS Interactive’s president and COO Marc DeBevoise sees the company’s targeted original programming strategy continuing to attract viewers to its All [...]

  • Rhett-Link-Good-Mythical-Morning

    Rhett & Link's Mythical Entertainment in Talks to Acquire Smosh (EXCLUSIVE)

    Smosh, the YouTube comedy brand left stranded after parent company Defy Media went belly-up, may be about to get a new business partner. Mythical Entertainment, the entertainment company founded by top YouTube comedy duo Rhett & Link, has been in talks about acquiring the Smosh brand, sources told Variety. Multiple potential buyers came forward to [...]

  • Pokemon Go

    Proposed 'Pokémon Go' Lawsuit Settlement May Remove Poké Stops, Gyms

    A proposed settlement in the class action lawsuit against “Pokémon Go” developer Niantic could remove or change a number of Poké Stops and Gyms in the popular augmented reality game. The proposed settlement was filed in a California court on Thursday and applies to anyone in the U.S. who owns or leases property within 100 meters [...]

More From Our Brands

Access exclusive content