Data from almost 50 million Facebook users was exposed in a data breach, the social media company said today, according to The New York Times. The company said the vulnerability had been addressed, and law enforcement had been notified. In addition to the 50 million breached accounts, Facebook took preventive measures to protect another 40 million users.
It is believed to be the largest breach in Facebook’s history.
“I’m glad we found this, but it definitely is an issue that this happened in the first place,” said Facebook CEO Mark Zuckerberg.
The company noted that its investigation was still in the earliest stages, and that the full scope of the attack was still not clear. The breach, which was discovered earlier this week, targeted vulnerabilities in the site’s “view as” feature, which helps users fine-tune their privacy settings. An additional bug in the site’s video-upload feature was exploited by hackers to obtain digital access tokens, which allow users to remain logged in to their account on a device. The tokens could potentially have given hackers access to user accounts on any third-party apps and websites that use Facebook Login.
Facebook reset the access tokens of affected users, logging them out of their accounts.
If the breach, and the company’s handling of it, is found to have violated the European Union’s General Data Protection Regulation (GDPR), Facebook could be fined as much as four percent of its global revenue.
It’s still unclear who may have been behind the attack. According to Guy Rosen, Facebook’s vice president of product management, the scale and complexity of the attack would have called for “a certain level” of expertise. However, “the investigation is early, and it’s hard to discover who is behind this,” he said.
Social media companies have faced new levels of scrutiny this year over their handling of consumer data, following several breaches and scandals. Responding to news of the breach, Senator Mark Warner said in a statement:
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures. This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”
Shares of Facebook fell roughly 3 percent after the breach was announced.