50 million Facebook accounts affected by security vulnerability

Facebook has issued a statement warning its users of a "security issue" that affects nearly 50 million users accounts. An investigation is underway, but Facebook that "it's clear that attackers exploited a vulnerability in Facebook's code." 

That vulnerability arose from the "View As" feature that enables users to see what their profiles look like to other people. Exploiting a change made in July 2017 to the video uploading system, hackers could take control of Facebook access tokens—"the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app"—and use them to take over connected accounts. 

Facebook has fixed the problem and informed law enforcement, and the access tokens of the accounts affected by the breach have been reset, as have tokens belonging to 40 million more accounts that have been the subject of a "View As" lookup over the past year. "As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login," the statement says. 

The "View As" feature has also been suspended while Facebook investigates. 

"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based," Facebook wrote. 

"We’re working hard to better understand these details—and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens." 

Facebook noted that users do not need to change their passwords. Users who want to log out of Facebook just in case should hit up the "Security and Login" section of the Facebook settings menu.

Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.