Facebook just admitted that an unknown hacker or a group of hackers exploited a zero-day vulnerability in its social media platform that allowed them to steal secret access token for more than 90 million accounts.
In a brief blog post published Friday, Facebook revealed that its security team discovered the attack three days ago (on 25 September), and they are still investigating the security incident.
“We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” Facebook said.
The vulnerability, which has yet not been disclosed and now patched by Facebook, resided in the “View As” feature—an option that allows users to find out what other Facebook users would see if they visit your profile.
According to the social media giant, the vulnerability allowed hackers to steal secret access tokens that could then use to take over user accounts.
Secret access tokens “are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.”
To prevent its users’ accounts, the company has already reset access tokens for nearly 50 million affected Facebook accounts and an additional 40 million accounts, as a precaution.
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” the company said.
Facebook has also notified law enforcement officials of the security breach.