Facebook said on Friday it found a security flaw in almost 50 million accounts that would allow hackers to take over people’s profiles, an additional blow to the social network’s record on privacy.
The disclosure prompted new threats of investigations into the social network by at least one state attorney general and by Irish authorities who protect the interests of European users.
Facebook did not say how many accounts had been taken over through the vulnerability.
Guy Rosen, Facebook’s vice president of product management, said on a phone call with reporters that the attackers could have accessed not only the 50 million Facebook accounts, but also potentially any other services for which those people used their Facebook login.
The company in a blog post said that someone had used the vulnerability to attack its network, although it did not know who was behind the attempt. Facebook said it had yet to determine whether any accounts were misused or if any information was improperly accessed.
“We’re continuing to look into this and we’ll update when we know more,” Facebook CEO Mark Zuckerberg said on a call with reporters.
Zuckerberg's own account was compromised in the attack, as was the account of Sheryl Sandberg, the company's chief operating officer, the company said.
The flaw in Facebook’s code was related to the site’s “view as” feature, which lets people see what their own profile looks like to someone else. Facebook said it had disabled the feature for now and was resetting the digital keys — known as “access tokens” — that the 50 million people use to log in, as well as the digital keys of another 40 million accounts that had been “subject” to a “view as” look-up in the past year.
Facebook noted that the affected users would have to log in to their accounts and would receive a notification at the top of their News Feed.
The attackers did not take passwords or credit card information, the company said.
The vulnerability had roots in a July 2017 update to Facebook that involved the ability to upload birthday videos, according to the company. When those videos showed up on people's pages using the "view as" feature, access tokens were exposed, Facebook said.
Facebook said it had fixed the vulnerability since discovering it on Tuesday, and had also informed law enforcement including the FBI and Ireland’s data protection commission. Facebook serves its European users from a regional headquarters in Ireland.
The Irish Data Protection Commission expressed frustration at the lack of details coming from Facebook.
The agency said in a statement it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.” It said it would continue to press the company “to clarify these matters further as a matter of urgency.”
Facebook said there did not appear to be a specific country or geographic area that was targeted.
Facebook, the world’s largest social media service with more than 2.2 billion monthly users, has been trying to repair its reputation among users after an earlier privacy scandal, in which the personal information of up to 87 million people ended up in the hands of political consultancy Cambridge Analytica.
Facebook, which spent years flying under the radar of regulators, has recently drawn growing concern over its handling of personal data. The Federal Trade Commission has an open investigation into Facebook’s privacy practices after the Cambridge Analytica disclosure.
Rohit Chopra, one of the FTC's commissioners, tweeted about Facebook on Friday: "I want answers."
Sen. Mark Warner, D-Va., in an emailed statement, called for an investigation of the flaw and action from Congress.
“A full investigation should be swiftly conducted and made public so that we can understand more about what happened,” Warner said.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Warner added. "As I’ve said before – the era of the Wild West in social media is over.”
Josh Stein, the attorney general of North Carolina, said on Twitter that he would investigate the latest security flaw, pointing to a recent settlement with Uber for $148 million over the theft of personal data.
“I will get to the bottom of what happened at Facebook,” Stein tweeted.
The New York Attorney General's office also said it was looking into the matter.
“This is clearly a breach of trust, and we take this very seriously,” Rosen said on the call.
Shares in Facebook fell 2.8 percent in mid-afternoon trading after the company’s announcement.
Zuckerberg said Facebook faces constant hacking attempts and would continue spending heavily on security. “We need to do more to prevent this from happening in the first place,” he said.