Social network says it learned this week that hackers exploited a trio of software flaws to steal 'access tokens'
Facebook revealed on Friday that up to 50 million accounts were breached by hackers, dealing a blow to the social network's effort to convince users to trust it with their data.
The leading social network said it learned this week that hackers exploited a trio of software flaws to steal "access tokens," the equivalent of digital keys that enable them to access their accounts.
Facebook chief executive Mark Zuckerberg said engineers discovered the breach on Tuesday, and patched it on Thursday night.
"We don't know if any accounts were actually misused," Zuckerberg said. "This is a serious issue."
As a precaution, Facebook is temporarily taking down the "view as" feature -- described as a privacy tool to let user see how their own profiles would look to other people.
"It's clear that attackers exploited a vulnerability in Facebook's code," said vice president of product management Guy Rosen.
"We've fixed the vulnerability and informed law enforcement."
Facebook reset the 50 million breached accounts, meaning users will need to sign back in using passwords.
Democratic US Senator Mark Warner cited the breach as further proof of the privacy danger of companies such as Facebook and Equifax not adequately protecting the massive amounts of information they gather about people.
"This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users," Warner said in a released statement.
"As I've said before -- the era of the Wild West in social media is over."
The breach is the latest privacy embarrassment for Facebook, which earlier this year acknowledged that tens of millions of users had personal data hijacked by a political firm working for Donald Trump in 2016.
"We face constant attacks from people who want to take over accounts or steal information around the world," Zuckerberg said on his Facebook page.
"While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place."
Facebook said it took a precautionary step of resetting access tokens for another 40 million accounts where the vulnerable feature was used. This will require those users to log back in to Facebook.
"People's privacy and security is incredibly important , and we're sorry this happened," Rosen said.
No passwords were taken in the breach, only "tokens" that act as digital keys allowing people to automatically log back into the social network, according to Rosen.
Information hackers appeared interested in included names, genders, and home towns, but it was not clear for what purposes, the executives said in a telephone briefing.
The stolen tokens gave hackers complete control of accounts. Facebook is trying to determine whether hackers tampered with posts or messages in breached accounts.
Hackers took advantage of a "complex interaction" between three software bugs, which required a degree of sophistication, according to Rosen.
"We may never know who is behind this," Rosen said. "This is not an easy investigation."
Facebook is working with data privacy regulators as well as law enforcement, according to Rosen.
Facebook this year is doubling to 20,000 the number of workers devoted to safety and security, and has taken to embedding that personnel in with product management teams, Rosen said.
When asked why people should still trust Facebook with their personal information, Zuckerberg outlined anew ways the social network is ramping up defenses.
"As I've said a number of times, security is an arms race," Zuckerberg said.
But Facebook may have deeper problems, said Jonathan Zittrain, a Harvard law professor and co-founder of university's Berkman Klein Center for Internet & Society.
"There is a structural problem here," Zittrain said in a tweet.
"Facebook has one of the best and most well-resourced cybersecurity outfits in the world, yet a breach of its servers appears to have compromised tens of millions of accounts in still-undisclosed ways."