Facebook reveals 50M users affected by data breach, investigation of attack still in ‘early stages’

Social networking giant Facebook announced on Friday that nearly 50 million accounts were affected by a flaw in the service’s “View As” code, though details on what kind of information may have been taken remains unknown as the company begins its investigation.

Cautioning that its assessment of the breach is “still in its early stages,” Facebook posted a security update on its official blog to disclose the hack, in which Facebook access tokens were used to take over people’s accounts. Facebook issues access tokens to keep users logged into their account without the need to re-enter a password.

The company has temporarily turned off the “View As” feature, which allows users to adjust their privacy settings and see how their profile appears to other members of the service. It has also informed law enforcement and fixed the vulnerability.

Thus far, Facebook has reset the access tokens of the 50 million compromised accounts, as well as another 40 million users who were subject to a “View As” lookup in the last year. Those users also received a notification on their News Feed explaining why they had to re-enter their password.

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Facebook VP of Product Management Guy Rosen wrote in the post. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.”

It has been a tumultuous year for Facebook, as the company has seen numerous data handling issues, privacy scandals, and personnel shakeups. Just this week week, the founders of Instagram departed the company after reportedly not seeing eye to eye with Facebook’s direction for the photo sharing service.

Facebook Chief Executive and founder Mark Zuckerberg was also grilled before Congress earlier this year about how the social network manages and protects user data. The company has been under fire and working to revise its services and policies since it was revealed that a third-party company, Cambridge Analytica, improperly collected and used data from the site to help influence the 2016 U.S. presidential election.

OWI Insight: Facebook’s repeated emphasis that it is in the early stages of the investigation, and the acknowledgement that more accounts may have been affected, is telling. The breach was discovered on Tuesday and disclosed on Friday, which is a positive step for transparency and building Trust & Safety. However, as the company continues to analyze the breach and discovers what kind of data was accessed, it would not come as a surprise if the incident was more serious than the company first acknowledged. After the Cambridge Analytica scandal, Zuckerberg said, “We have a responsibility to protect your data, and if we can’t, then we don’t deserve to serve you.” We will see how well user data was protected in this incident as Facebook continues its investigation.