NEW YORK: For users, Facebookâs revelation of a data breach that gave attackers access to 50 million accounts raises an important question: What happens next?
For the owners of the affected accounts, and of another 40 million that Facebook considered at risk, the first order of business may be a simple one: sign back into the app. Facebook logged everyone out of all 90 million accounts in order to reset digital keys the hackers had stolen â keys normally used to keep users logged in, but which could also give outsiders full control of the compromised accounts.
Next up is the waiting game, as Facebook continues its investigation and users scan for notifications that their accounts were targeted by the hackers.
What Facebook knows so far is that hackers got access to the 50 million accounts by exploiting three distinct bugs in Facebookâs code that allowed them to steal those digital keys, technically known as âaccess tokens.â The company says it has fixed the bugs.
Users donât need to change their Facebook passwords, it said, although security experts say it couldnât hurt to do so.
Facebook, however, doesnât know who was behind the attacks or where theyâre based. In a call with reporters on Friday, CEO Mark Zuckerberg â whose own account was compromised â said that attackers would have had the ability to view private messages or post on someoneâs account, but thereâs no sign that they did.
âWe do not yet know if any of the accounts were actually misused,â Zuckerberg said.
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues. So far, though, none of these issues have significantly shaken the confidence of the companyâs 2 billion global users.
This latest hack involved bugs in Facebookâs âView Asâ feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal access tokens from the accounts of people whose profiles came up in searches using the âView Asâ feature. The attack then moved along from one userâs Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.
One of the bugs was more than a year old and affected how the âView Asâ feature interacted with Facebookâs video uploading feature for posting âhappy birthdayâ messages, said Guy Rosen, Facebookâs vice president of product management. But it wasnât until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.
âWe havenât yet been able to determine if there was specific targetingâ of particular accounts, Rosen said in a call with reporters. âIt does seem broad. And we donât yet know who was behind these attacks and where they might be based.â
Neither passwords nor credit card data was stolen, Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe.
Facebook confirmed late Friday that third-party apps, including its own Instagram app, could have been affected.
âThe vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves,â Rosen said.
News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Zuckerberg appeared at a congressional hearing focused on Facebookâs privacy practices.
The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts â enough for half of the worldâs entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers. It was among a series of Yahoo hacks over several years.
U.S. prosecutors later blamed Russian agents for using the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses.
