Facebook disclosed Friday a widespread security flaw that allowed hackers to access user accounts. The breach has impacted around 50 million people. As a security measure, Facebook says about 90 million users have been required to log back into their accounts which effectively “resets” their digital key.
“This a serious issue, and we’re very focused on addressing it and it’s why we’ve patched the vulnerability,” Facebook CEO Mark Zuckerberg said during a conference call with reporters.
Engineers discovered the attack on Tuesday. According to Zuckerberg, the hackers found a vulnerability in the code of what’s called the “View As” feature, which is a privacy function that allows users to see what their Facebook profile looks like to another person. This breach allowed the hackers to access a digital key, which the hackers could have used to take over users accounts. The “View As” feature has temporarily been shut off while Facebook conducts a security review.
Guy Rosen, Facebook’s vice president of product management, said during the conference call that it is not clear who might have been behind the attack. Rosen says the company is still assessing the scope of the attack and is in the beginning stages of its investigation. Rosen says they’ve called on the help of the FBI and in light of General Data Protection Regulation laws, notified the Irish Data Commission of the breach.
“The timing is bad, it’s really the worst time for Facebook,” cybersecurity expert and San Jose State University professor Ahmed Banafa said. “They’re under the microscope.”
Over the last year, the Securities and Exchange Commission and the FBI joined the Justice Department and Federal Trade Commission to investigate how the political analytics firm Cambridge Analytica, purchased data on 87 million users of Facebook without their consent. There is also mounting pressure from politicians to regulate companies like Facebook.
Banafa says Facebook's transparency about this breach is a good sign, but it can only go so far, and privacy is what users want.
“Privacy gives me the assurance that my data will not be used without my permission because of your fault or somebody else's,” Banafa said.
News of this security breach came hours after Taiwanese hacker Chang Chi-yuan pledged to delete Zuckerberg’s personal page on Sunday as a way to demonstrate Facebook security flaws. Rosen says Facebook is aware of the threat, but they have no indication it is related to the latest security breach.