Facebook has announced a data breach affecting almost 50 million accounts.
The social media giant said hackers exploited a vulnerability in its ‘view as’ feature – which allows users to see what their profile looks like to other users.
The company said it is “taking this incredibly seriously” and has alerted law enforcement about the problem.
It said it has also “fixed the vulnerability” which allowed hackers to steal Facebook ‘access tokens,’ which they could then use to take over people’s accounts.
The company said access tokens are the equivalent of digital keys used to keep people logged in so they do not have to continuously enter their password every time they use the app.
It said it could not rule out the possibility of more accounts being affected.
The company said it had reset the access token for all affected accounts and had taken the “precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.”
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” it said.
“After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
Security Update https://t.co/8HUo0aHIQJ
— Facebook Newsroom (@fbnewsroom) September 28, 2018
Facebook has also temporarily disabled the ‘View As’ feature, while it conducts a “thorough security review.”
The company said it has yet to determine whether the affected accounts were misused or whether any personal information had been accessed.
It has not identified who was behind the attacks or where they are based.
Facebook said it is “working hard to better understand” what happened and pledged to update when it has more information or “if the facts change.”
“In addition, if we find more affected accounts, we will immediately reset their access tokens,” it said.
The company said its users “privacy and security is incredibly important” and apologised for the breach.
It said there is no need for anyone to update their password.