Facebook said on Friday that an attack on its computer network had exposed the personal information of nearly 50 million users.
The company said it discovered the breach this week, finding that attackers had exploited a feature in Facebook’s code that allowed them to take over user accounts. The company said it fixed the vulnerability and notified law enforcement officials.
“We’re taking it really seriously,” Mark Zuckerberg, the company’s chief executive, said in a conference call with reporters. “We have a major security effort at the company that hardens all of our surfaces.” He added: “I’m glad we found this. But it definitely is an issue that this happened in the first place.”
More than 90 million Facebook users were forced to log out of their accounts early Friday, a common safety measure taken when accounts have been compromised.
Facebook said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack. The company said it was still in the beginning stages of its investigation.
Facebook said the attackers had exploited a bug in the site’s “view as” feature, which allows users to to view their own profiles as if they were someone else. The feature was built to give users move control over their privacy.
The company said the bug was compounded by one in Facebook’s video-uploading programme, a software feature that was introduced last year. The flaw had allowed the attackers to steal so-called access tokens — digital keys that allow access to an account.
The attack was discovered as Facebook continues to contend with the aftermath of its role in a widespread Russian disinformation campaign during the 2016 presidential election and from the fallout of the British consulting firm Cambridge Analytica scandal improperly harvesting the personal data of up to 87 million Facebook users.
The company also faces the prospect of federal regulation amid questions about whether it has grown too powerful.
One of the primary challenges for the company has been convincing its users that it can responsibly handle the incredible wealth of data it has access to.
More than two billion people use Facebook every month; another two billion use WhatsApp, a Facebook-owned messaging app, and Instagram, the Facebook-owned photo-sharing app.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg said in a statement regarding Cambridge Analytica this year.
Even before the disclosure on Friday, Facebook was caught up in multiple federal investigations related to its broader data-sharing and privacy practices. The Securities and Exchange Commission has opened an inquiry into the company’s statements about the Cambridge Analytica episode.
Facebook insists it has instituted strict data-sharing policies with third parties, and has scaled back the amount of data it agrees to share with developers in the future. The company suspended access to more than 400 third-party apps after an audit of the thousands of outside apps connected to Facebook.
“We’re taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we’ve taken to protect people’s security,” vice-president of product management Guy Rosen said. “People’s privacy and security is incredibly important, and we’re sorry this happened.”
Starting around 10am (IST), many Facebook users reported being abruptly logged out of their accounts. Some also mentioned being logged out of Messenger, the social network’s instant messaging app.