Stories

Facebook discloses major security flaw, could affect 50 million users

Illustration: Rebecca Zisser/Axios

Facebook today revealed a “security issue” in which a code flaw could have allowed hackers to take over upwards of 50 million user accounts.

“We face constant attacks from people who want to take over accounts or steal information…We need to do more to prevent this from happening in the first place."
— Facebook CEO Mark Zuckerberg, during a call with reporters.

The big picture: This is just the latest in a long string of recent problems for Facebook, including executive defections, social media interference, privacy concerns, and accusations of anti-conservative bias.

"The original investigation started when we saw a pattern of increased usage to the site and when we dug into that we found this was an attack exploiting that vulnerability."
— Guy Rosen, Facebook's vice president of product management

Why it matters: Facebook's headache is no longer about a third party brokering user data — this is about Facebook's code having a flaw that allows hackers to access personal information in user accounts. And there is nothing users can do about it from a security standpoint but let Facebook roll out an update.

The code vulnerability is related to the “view as” feature on profiles, where users can view their profiles through the eyes of someone else.

  • Facebook says the hack was produced by the interaction of three "bugs" introduced when Facebook updated the video upload feature in July, 2017.

The company does not yet know if information has been misused or accessed, which is something CEO Mark Zuckerberg reiterated during a media call.

  • Passwords were apparently not accessed. Neither was any credit card information.
  • Facebook says it has fixed the code vulnerability, and the "view as" feature is temporarily turned off.
  • The company says it is working with the FBI. It also alerted law enforcement in Europe, per new privacy rules there called GDPR, and the Department of Homeland Security.

Facebook says it first learned of the vulnerability this past Tuesday. On Wednesday it alerted authorities and on Thursday fixed the vulnerability and began resetting access codes.

Go deeper: Everyone unfriends Facebook

Correction: This story has been updated to specify the year of the hack and correct that the bug was in the video upload feature's code.