Facebook on Friday disclosed that close to 50 million users had account data compromised through a security vulnerability.
The social media giant discovered the issue on Tuesday afternoon and is still in the early stages of investigating, according to a company blog post. The vulnerability is resolved and Facebook has informed law enforcement, the company said.
“The reality here is we face constant attacks,” Facebook CEO Mark Zuckerberg told reporters during a press call this afternoon. “We need to do more to prevent this from happening in the first place. … We’re going to keep investing very heavily in security going forward.”
He insisted security has become “an arms race” for social media giants. “This is going to be an ongoing effort,” he said.
This latest revelation comes amid a year of brutal public relations battles for Facebook, which included Zuckerberg testifying for the first time before Congress. The executive’s two-day appearance before Senate and House panels came in the wake of news that Trump-linked data firm Cambridge Analytica had improperly obtained data on as many as 87 million Facebook users.
Of the latest breach, Facebook on Friday said attackers exploited a vulnerability involving a feature known as “View As,” allowing users to see what a profile looks like to other users.
A “complex interaction of multiple issues” involving that feature and Facebook’s video upload function allowed hackers to break into accounts by effectively stealing the digital keys that let users stay logged in to Facebook without reentering their credentials, the company said in its blog post. The vulnerability stemmed from changes to video uploading that Facebook made in July 2017.
Since discovering the data breach, the company reset the digital access codes of the nearly 50 million accounts affected. It’s also, as a precaution, resetting that information for another 40 million accounts, meaning about 90 million people will need to go through a formal log-in process with Facebook now. They will get a notification in their news feed explaining the incident. Facebook says no one should have to change account passwords.
“We patched the issue last night and are taking precautionary measures for those who might have been affected,” Zuckerberg said on the press call. “In the interest of transparency, we want to share everything we know now.”
He added that the company doesn’t know if any accounts were misused and said there’s no evidence of any users’ private messages being accessed or anything posted on others’ accounts but did not rule out the possibility.
Guy Rosen, the Facebook vice president of product management who authored the blog post, added on the call that no credit card information was taken. Rosen also said the company has contacted the FBI and the Irish Data Protection Commission about the incident but doesn’t know the attackers’ identities or where they might be based.
Sen. Mark Warner, top Democrat on the Senate Intelligence committee, called the news “deeply concerning” in a statement and called for a full investigation.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before — the era of the Wild West in social media is over,” Warner said.
Warner’s comments come as lawmakers of both parties have called for comprehensive federal privacy legislation. The EU and California have already passed their own wide-ranging data privacy laws.
Absent such legislation, the tech industry at present still enjoys a broad grant to self-regulate. Zuckerberg told the Senate Commerce and Judiciary committees in April that he hoped to lead company efforts to make Facebook a better steward of user data. “We didn’t take a broad enough view of our responsibility, and that was a big mistake,” he said.
“It will take some time to work through all of the changes we need to make,” Zuckerberg added. “But I’m committed to getting it right.”