Facebook announced Friday it has discovered a security incident affecting almost 50 million accounts.
The social media giant discovered the breach earlier this week, when its engineering team identified a vulnerability in Facebook’s code that impacted “View As,” a feature that lets people see what their profile looks like to someone else.
Guy Rosen, Facebook’s vice president of product management, wrote in a blog entry Friday that the company’s investigation is in its early stages. The company says the vulnerability has been fixed and law enforcement has been brought in.
The bug allowed for attackers to steal digital access tokens, which are the keys that allow people to access their profiles without having to login every time they visit the site. Attackers then used the tokens to move between accounts.
Facebook says no password or credit card information was lost or stolen in the issue.
The company says the vulnerability was possible due to “multiple complex issues” in its code, stemming from a change to its uploading feature made in July 2017.
As a precaution, the company forced about 90 million users to log out in order to reset access tokens.
Since the investigation is in its early stages, Facebook does not know if any accounts were misused or any information accessed. The company also does not know who is responsible behind these attacks or where they’re based.
“This is not a simple investigation,” Rosen said on a media call.
The company also said it has notified the appropriate European data protection authorities, as the company is required to do under the European Union’s General Data Protection Regulation.
Ireland’s Data Protection Commission, the authority Facebook reported the breach to, called for social media company to “urgently” clarify information related to the breach.
Facebook data breach. The DPC is concerned that this breach was discovered on Tuesday & affects millions of users. At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters. #dataprotection
— Data Protection Commission Ireland (@DPCIreland) September 28, 2018
The breach comes during a rough time for the company. Earlier this year, Facebook CEO Mark Zuckerberg testified in front of a U.S. Senate committee over various scandals related to online disinformation campaigns and questions over data privacy.
“Security is an arms race,” Zuckerberg said Friday on the media call. “We’re continuing to improve our defenses and I think that this underscores there are constant attacks where people are trying to take over accounts and steal information in our community.”
Sen. Mark Warner, D-Va., said he wants to the company to conduct a swift investigation so the public has more info on what exactly happened.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Warner said. “As I’ve said before — the era of the Wild West in social media is over.”