Guy Rosen, Facebook vice president of Product Management, said the social network discovered the bug Tuesday — and that it affected as many as 50 million users.
“It’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else,” he said in a Facebook blog post Friday. “This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”
Tokens allow users to remain logged in to Facebook so they don’t have to keep re-entering their password every time they want to access it.
Rosen said Facebook is in the early stages of its investigation, and has not yet determined whether any accounts were misused or if information was accessed.
“We also don’t know who’s behind these attacks or where they’re based,” he wrote. “We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change.”
Facebook said it fixed the flaw and notified law enforcement of the hacking. The company also has reset access tokens for the affected accounts and another 40 million accounts that have have used the “View As” feature in the past year. All 90 million of those accounts must log back into Facebook, where they will see a notification explaining the incident.
The company also said it is temporarily disabling the “View As” feature until it conducts a security review.
Facebook said there is no need for users to change their passwords.