Facebook security breach exposes 50 Million Users’ Data

Facebook said Friday that the accounts of nearly 50 million users were breached in another security incident at the social network.

The extent of the massive hack – how much Facebook users’ personal information was compromised – is not yet known. The unidentified attackers did gain access to basic demographic information such as gender, hometown, name or birthday that people include in their Facebook profile.

Facebook says attackers exploited a feature in its code that allowed them to commandeer users’ accounts. Those accounts included Facebook CEO Mark Zuckerberg and his second-in-command, Sheryl Sandberg.

A spike in traffic triggered an internal investigation on September 16. The breach was discovered Tuesday afternoon and the vulnerability was fixed Thursday night, the company said.

The disclosure of another in a series of security lapses has already brought political heat. Federal Trade Commission Commissioner Rohit Chopra said late Friday that he was alarmed by the Facebook breach. The FTC and other agencies are already investigating Facebook after it revealed political targeting firm Cambridge Analytica accessed the accounts of 87 million users without their consent.

Facebook says it has not identified the attackers nor does it know the origin of the September attack. The Silicon Valley company notified the FBI on Wednesday.

“We are still in the early phase of investigating this,” Facebook CEO Mark Zuckerberg told reporters Friday.

“We do not yet know if any of the accounts were actually misused.”

Zuckerberg says Facebook has invested heavily in security measures but will step up efforts to lock down Facebook users’ accounts.

“The reality here is we face constant attacks,” he said. “We need to do more to prevent this from happening in the first place.”

More than 90 million of Facebook’s users were forced to log out of their accounts Friday morning as a security measure. They will be notified why at the top of their News Feed, the Facebook CEO said.

Attackers exploited a vulnerability in Facebook’s code that affected “View As,” a feature that lets people see what their own profile looks like to someone else. The feature was built to give users more control over their privacy. Three software bugs in Facebook’s code connected to this feature allowed attackers to steal Facebook access tokens they could then use to take over people’s accounts.

These access tokens are like digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use Facebook.

Once the attackers had access to a token for one account, call it Jane’s, they could then use “View As” to see what another account, say Tom’s, could see about Jane’s account. The vulnerability enabled the attackers to get an access token for Tom’s account as well, and the attack spread from there. Facebook said it has turned off the “View As” feature as a security precaution.

The attackers could have also gained access to Facebook users’ accounts on other apps and websites they access with Facebook Login, the feature that allows you to log in to other online services with your Facebook credentials, the company said.

Facebook has reset the tokens of nearly 50 million accounts that were affected and, as a precaution, it has also reset the tokens for another 40 million accounts that have used “View As” in the past year.

“So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. But this, of course, may change as we learn more,” Zuckerberg said.

When these 90 million people log back into Facebook or any apps that use Facebook login, they will be notified at the top of their News Feed, Guy Rosen, vice president of product management, said.

Facebook says there’s no need for users to reset their passwords. But security experts recommend they do it anyway.

The breach marks the latest privacy mishap for Facebook, which has been hammered for the Cambridge Analytica scandal and the unchecked spread of Russian propaganda during and after the 2016 presidential election.

The FTC on Friday had no comment on whether it was investigating Facebook over this latest breach.

ICO Deputy Commissioner of operations, James Dipple-Johnstone, said:

“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.

“We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.


By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.


You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.


Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services