THE SOCIAL NETWORK Facebook waited until 6 pm on Friday to announce that an estimated 50 million users were affected by a major security breach.
The breach, which Facebook engineers discovered on 25 September, saw hackers exploit a vulnerability in Facebook's code that impacted 'View As', a feature that lets people see what their own profile looks like to someone else.
"This allowed them to steal Facebook access tokens which they could then use to take over people's accounts," explained Guy Rosen, VP of Product Management at Facebook.
With access to a users' authentication token, hackers would have had access to private messages, which would have been exposed to harvesting until Facebook forced a log-out.
"This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As.'
"The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."
The company notes that its internal investigation is "still in its early stages" and says it remains unclear who might be behind the attack or what user data - if any - was taken.
Facebook says it has fixed the vulnerability and reset the access tokens of the almost 50 million accounts affected by the breach. Additionally, as a precaution, it's resetting tokens for another 40 million accounts that have been subject to 'View As'.
The firm has also switched off the 'View As' feature while it conducts a "thorough security review".
"People's privacy and security is incredibly importantand we're sorry this happened," Rosen added. "It's why we've taken immediate action to secure these accounts and let users know what happened.
Facebook might end up with another breach to deal with over the weekend, as a Taiwanese hacker claims he'll delete the Mark Zuckerberg's account and broadcast himself doing so on Facebook Live on Sunday. µ
Also, my mate said your mate told me to tell you they fancy your mate's mate
'Uninstall trackers' are apparently a dev tool ripe for abuse
Did someone say 'lawsuit'?
Don't expect many surprises at next week's launch