Facebook: 90 million accounts could be at risk from hackers

Editor's note: Facebook on Friday, Oct. 12, said hackers had accessed data from 29 million accounts as part of a security breach disclosed in late September. That's fewer than the 50 million the social media giant initially believed were affected.   

Facebook reported a security breach in which 50 million user accounts were accessed by hackers exploiting a bug that affected its popular "View As" feature that lets people see what their profiles look like to someone else. Another 40 million user accounts were at risk from the security flaw before Facebook took steps to protect them, the company said Friday.

In a blog post, the company said the security bug would let attackers steal "access tokens," which are digital keys that Facebook uses to keep people logged in. Possession of those tokens would allow attackers to "seize control" of user accounts, Facebook said.

Specifically, from the "View As" feature, the bug somehow allowed a video uploader to appear for sending "happy birthday" messages, Guy Rosen, Facebook's vice president of product management, explained. Another bug then created an access token that made Facebook think the hacker had legitimately signed in with the account being viewed.

"We haven't yet been able to determine if there was specific targeting," Rosen said in a call with reporters Friday. "It does seem broad. And we don't yet know who was behind these attacks and where they might be based."

Facebook said it has taken steps to fix the security problem and alerted law enforcement. The company also said it reset the access tokens of the 50 million accounts affected by the attack and took a "precautionary step" of resetting tokens for another 40 million accounts. 

"As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login," Rosen wrote in the blog post. 

Zuckerberg: "Security is an arms race"

In a conference call with reporters on Friday, Facebook CEO Mark Zuckerberg said that the company doesn't know yet if any of the accounts that were hacked were misused. 

Asked why consumers should continue to trust the service, Zuckerberg insisted the company is focused on security. 

"Security is an arms race," he said. "We are continuing to improve our defenses and this underscores there are constant attacks from people who are trying to take over accounts or steal information from people in our community."

Still, Facebook's reassurances might not placate worried consumers, some experts said. 

"Facebook's brand is already impaired," said Michael Priem at advertising firm Modern Impact. "This breach will inevitably hurt [Facebook], mostly because consumers are suspicious of the data they have within FB and the heightened awareness with the media attention."

The attackers used the access tokens "at a fairly large scale," although Facebook doesn't yet know how personal information was used, Facebook executives said on the call. Because passwords weren't stolen, consumers only need to log back into their Facebook accounts, which will reset their access tokens, they added. 

The additional 40 million accounts that were also reset were flagged because their accounts had been subject to a "View As" lookup, the company said. 

"It's surprising to me that as popular as Facebook is, no white-hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook's internal IT security team," said Paul Bischoff, privacy advocate with Comparitech.com, said in an email. 

Facebook executives said that it was alerted to the flaw when it noticed an increase in user access to the service, and that security flaws "are very hard to find."

Impact on other companies' apps and sites? 

Jake Williams, a security expert at Rendition Infosec, said the stolen access tokens would likely have allowed attackers to view private posts and probably to post status updates or shared posts as the compromised user, but wouldn't affect passwords.

"The bigger concern ... is whether third-party applications were impacted," Williams said in a text exchange with the Associated Press. "Facebook offers a login service for third parties to allow users to log into their apps using Facebook. In other words, Facebook is providing the identity management for countless other sites and services. These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user's account on a third party site."

Facebook's Rosen confirmed says the hack affecting the 50 million users could also have given attackers access to other apps if users had logged into the other apps using their Facebook username and password. 

A feature called Facebook Login allows people to use their Facebook credentials to sign into certain other apps and services.

Rosen wouldn't say if there was any evidence that attackers misused access to those third party accounts. He says it could have affected apps tied to someone's Facebook account, including Facebook's own Instagram app — although not its WhatsApp messaging service.

He says affected users will now have to manually re-link those third party apps to their Facebook accounts.

Consumers should "always consider rotating your password on a site has been breached if you plan on continuing to use it," said Jerry Gamblin, principal security engineer at Kenna Security. 

The hack is the latest setback for Facebook during a year of tumult for the company.

News broke early this year that a data analytics firm that once worked for the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. Facebook CEO Mark Zuckerberg appeared at a Congressional hearing over Facebook's privacy policies in April.

Facebook has more than 2 billion users worldwide. The company said people do not need to change their Facebook passwords, but anyone having trouble logging on should visit the site's help center. Those who want to log out can visit the "Security and Login" section of their settings, which lists the places that people are logged into Facebook. It offers a one-click option of logging out of all locations.

Ed Mierzwinski, the senior director of consumer advocacy group U.S. PIRG, said the breach was "very troubling."

"It's yet another warning that Congress must not enact any national data security or data breach legislation that weakens current state privacy laws, preempts the rights of states to pass new laws that protect their consumers better, or denies their attorneys general rights to investigate violations of or enforce those laws," he said in a statement.

Wedbush analyst Michael Pachter said "the most important point is that we found out from them," meaning Facebook, as opposed to a third party.

"As a user, I want Facebook to proactively protect my data and let me know when it's compromised," he said. "Shareholders should ultimately approve of Facebook's handling of the issue."

Until then, Facebook on Friday briefly blocked people from posting articles by the Associated Press and the Guardian about its security breach. When users tried to post the articles, a notice popped up saying the article had triggered a filter for likely spam.

"Our security systems have detected that a lot of people are posting the same content, which could mean that it's spam," the notice said. "Please try a different post."

Similar articles by the New York Times and other outlets were not blocked.

Facebook did not respond to a request for comment on the articles blocking.

-- The Associated Press contributed to this report.