The issue was discovered on Tuesday, and has since been resolved – but Facebook admits that it doesn’t know if users’ details are safe.
Guy Rosen, VP of Product Management at Facebook, said: We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”
While the investigation is still in its early stages, Facebook has revealed that attackers exploited a vulnerability in Facebook’s code that impacted the ‘View As’ feature that lets people see what their own profile looks like to someone else.
This allowed the attackers to steal Facebook access tokens which they could then use to take over people’s accounts.
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Facebook has taken several actions to fix the issue.
Firstly, the vulnerability has been fixed, and law enforcement agencies have been informed.
Next, Facebook has reset the access tokens of the 50 million accounts known to be affected to protect their security.
Mr Rosen said: “We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
Finally, Facebook is temporarily turning off the ‘View As’ feature, while completing the investigation.
Worryingly, Facebook does not know whether any of the accounts were actually hacked.
Mr Rosen explained: “Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed.
“We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change.
“In addition, if we find more affected accounts, we will immediately reset their access tokens.”
Surprisingly, Facebook says there’s no need for users to change their passwords, as accounts are now secure.
Mr Rosen added: “There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center.
“And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the ‘Security and Login’ section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.”
The National Cyber Security Centre said: “We are investigating how this incident has affected people in the UK and advise on appropriate mitigation measures. Users should read the latest advice Facebook has published.
“Based on current information, we understand that Facebook have fixed the flaw by temporarily suspending the ‘view as’ feature.
“There is no evidence that people have to take action such as changing their passwords or deleting their profiles.
“However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”
How to tell if your Facebook account has been hacked
If your account was part of the attack, you’ll be prompted to log back into your Facebook, and any other apps that use Facebook login.
Once you’ve logged back in, you’ll get a notification at the top of your News Feed explaining what happened.
Surprisingly, Facebook says there’s no need to change your password, as accounts are now secure.