Facebook says the accounts of nearly 50 million users were breached.
Attackers exploited a feature in Facebook's code that allowed them to take over users' accounts. The breach was discovered Tuesday afternoon.
Facebook says it patched the vulnerability Thursday night. It notified the FBI on Wednesday. Facebook does not yet know if people's personal information was accessed by the attackers.
"We are still in early phase of investigating this," Facebook CEO Mark Zuckerberg told reporters Friday. "We do not yet know if any of the accounts were actually misused."
Zuckerberg says Facebook has significant security measures in place but will step up efforts to lock down Facebook users' accounts.
"The reality here is we face constant attacks," he said. "We need to do more to prevent this from happening in the first place."
More than 90 million of Facebook’s users were forced to log out of their accounts Friday morning as a security measure. They will be notified why at the top of their News Feed.
Facebook says it is in the early stages of its investigation. It has not identified the attackers nor does it know the origin of the attack.
Attackers exploited a vulnerability in Facebook’s code that affected "View As," a feature that lets people see what their own profile looks like to someone else, allowing them to steal Facebook access tokens they could then use to take over people's accounts.
These access tokens are like digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use Facebook.
"We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a 'View As' look-up in the last year," said Guy Rosen, vice president of product management.
When these 90 million people log back into Facebook or any apps that use Facebook login, they will be notified at the top of their News Feed, Rosen said.
Facebook says there's no need for users to reset their passwords.
"We’re sorry this happened," Rosen said.
The breach marks the latest privacy mishap for Facebook, which has been hammered for the Cambridge Analytica scandal and the unchecked spread of Russian propaganda during and after the 2016 presidential election. Confidence in the giant social network used by more than two billion people around the world has been shaken by the troubling revelations.
"This is clearly a breach of trust and we take this very seriously. We are working with lawmakers and regulators to let them know what happened," Rosen told reporters.
