Facebook Inc said on Friday that hackers stole digital login codes allowing them to take over up to 50 million user accounts, after what has already been a difficult year for the company's reputation.
Facebook, which has more than 2.2 billion monthly active users, said it has been unable to determine yet whether the attacker misused any of the affected accounts or stole private information. It also has yet to identify the attacker’s location or whether specific victims had been targeted.
Chief Executive Mark Zuckerberg described the incident as a “really serious security issue" in a conference call with reporters.
Shares in Facebook fell 3.0 percent in afternoon trading, weighing on major Wall Street stock indexes.
Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy. The disclosure has prompted government inquiries into the company's privacy practices across the world, and fueled a "#deleteFacebook" social media movement among consumers.
U.S. lawmakers said on Friday that the hack may boost calls for data privacy legislation.
"“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users," Democratic U.S. Senator Mark Warner said in a statement.
Facebook's latest vulnerability had existed since July 2017, but the company first identified it Tuesday after spotting an unusual increase in use of its "view as" privacy feature on Sept. 16.
"View as" allows users to see what their own profile looks like to someone else, enabling them to verify their privacy settings. The flaw inadvertently put the wrong digital code, similar to a browser cookie, on the devices of people using "view as."
That code could allow the person using "view as" to post and browse from someone else's Facebook account, potentially exposing private messages, photos and posts.
“The implications of this are huge," Justin Fier, director of cyber intelligence at security company Darktrace, told Reuters.
Guy Rosen, the Facebook vice president overseeing security, said the flaw was "complex" in that it resulted from three failings.
A video upload feature should not have displayed on a user’s profile page when accessed through “view as," Rosen told reporters on a conference call Thursday. That alone would not have been problematic except that the video feature wrongly triggered the placement of the powerful login code. And it placed the code not for the "view as" user, but for who they were pretending to be.
Facebook said it fixed the issue on Thursday. It also notified the U.S. Federal Bureau of Investigation, Department of Homeland Security, Congressional aides and the Data Protection Commission in Ireland, where the company has European headquarters.
The Irish authority expressed concern in a statement that Facebook has been "unable to clarify the nature of the breach and risk to users" and said it was pressing Facebook for answers.
Facebook reset the digital keys of the 50 million affected accounts, and as a precaution temporarily disabled "view as" and reset those keys for another 40 million that have been looked up through the "view as" option over the last year.
About 90 million people will have to log back into Facebook or any of their apps that use a Facebook login, the company said.
More than 6,000 Facebook users flocked to Zuckerberg’s Facebook page to complain about the latest glitch.
“I’m so scared now. All my activities are on Facebook,” Mohammad ZR Zia, a 25-year college student in Kuala Lumpur, Malaysia, who has been using the social media platform since 2009, told Reuters. His account was logged out earlier on Friday.
Facebook has suffered more limited breaches before.
In 2013, Facebook disclosed a software flaw that exposed 6 million users' phone numbers and email addresses to unauthorised viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users' profiles.