Facebook has said 50 million user accounts may be at risk after hackers exploited a security vulnerability on the site.
The company said in a blog post Friday that it discovered the bug earlier in the week. The bug is part of the site’s “View As” feature that lets a user see their profile as someone else. Facebook has switched off the “View As” feature in the meantime while it investigates the bug further.
The bug allowed hackers to obtain account access tokens, which are used to keep users logged in when they enter their username and password. Stolen tokens can allow hackers to break into accounts.
Facebook said that it’s reset access tokens of all users affected, as well as an additional 40 million accounts out of an abundance of caution. That means some 90 million users will have been logged out of their account — either on their phone or computer — in the past day. Facebook also said that users will be notified once they log in.
“We have yet to determine whether these accounts were misused or any information accessed,” said Guy Rosen, Facebook’s vice president of product management. “We also don’t know who’s behind these attacks or where they’re based.”
Chief executive Mark Zuckerberg said in a call with reporters that the company doesn’t know if any accounts have been misused, but that its investigation is in an early stage and it’s monitoring accounts closely.
Facebook has contacted law enforcement, the blog post said. The social network has 2.2 billion monthly active users.
“If we find more affected accounts, we will immediately reset their access tokens,” said Rosen.
Facebook did not immediately respond to a request for comment, but is due to hold a call with reporters shortly.