Facebook discovered a security issue Sept. 25 that exposed an estimated 50 million users' accounts, marking one of the social-media giant's largest data breaches to date.
Here are six things to know about the breach:
1. The attack on Facebook's computer network — which the company detailed in a blog post three days after its discovery on Sept. 28 — exploited three flaws in the social network's code.
2. The vulnerability stemmed from the "View As" feature, which enables users to see what their own profile looks like from the vantage point of another user. By targeting a series of flaws, the cyberattacker was able to expose Facebook access tokens — or digital keys that keep people logged in to Facebook — for other users' accounts in the HTML, which they could use to gain control of the users' accounts.
3. The cyberattacker may have been able to use Facebook access tokens to take over accounts on third-party apps like Spotify and Instagram, which allow users to log in through Facebook. Guy Rosen, vice president of product management at Facebook, said the company was unsure of the extent of the breach to third-party accounts during a Sept. 28 conference call with reporters, according to The New York Times.
4. In the Sept. 28 blog post, Mr. Rosen said the company was in the early stages of its investigation and did not know whether affected accounts were misused. He also noted Facebook had not determined who was behind the attacks or where they were based. On the call with reporters, Mr. Rosen confirmed the cyberattacker tried to harvest people's private information, such as name, sex and hometown, NYT reports.
5. Mr. Rosen outlined steps Facebook has taken to remedy the breach in his blog post, such as:
- Informing law enforcement,
- Fixing the bugs that led to the security vulnerability,
- Turning off the "View As" feature while the company conducts a security review, and
- Resetting the access tokens of the nearly 50 million accounts the company knows were affected, along with another 40 million accounts that were subject to a lookup through the "View As" feature in the last year. These 90 million users will have to log back into Facebook.
6. The breach is the largest in the history of the social network, which was founded in 2004 and now boasts 2.2 billion users, according to NYT. Two people familiar with the matter told the newspaper Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among those whose accounts were exposed in the cyberattack.