"This is a really serious security issue and we're taking it really seriously," Facebook Mark Zuckerberg told reporters during a Friday media call.
Attackers exploited vulnerabilities in the code for Facebook's "View As" feature, enabling them to abscond with access tokens (think fancy, security-based cookies) which could then be used to hijack the target account. Facebook announced on Friday that it patched the vulnerability on Thursday night, disabled View As and reset the access tokens for the 50 million accounts it knows were targeted as well as another 40 million people who have used View As since its implementation last year, for good measure. Spokespeople for the company were unable to confirm if this data breach was in any way related to a hacker's threats to delete Mark Zuckerberg's account on a livestream from earlier in the day.
"This attack exploited the complex interaction of multiple issues in our code," Guy Rosen, VP of Product Management, wrote. "It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As.' The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."
"There's no need for anyone to change their passwords," he continued.
With the investigation still in its early stages, neither Facebook nor law enforcement know yet who is behind the attack, where the attacks originated from, or whether any personal data was accessed.