A million hacked Facebook accounts isn’t cool. You know what’s even less cool? Fifty million hacked Facebook accounts.
A Friday morning press release from our connect-people-at-any-cost friends in Menlo Park detailed a potentially horrifying situation for the billions of people who use the social media service: Their accounts might have been hacked. Well, at least 50 million of them were "directly affected," anyway.
The so-called "security update" is light on specifics, but what it does include is extremely troubling.
"On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts," reads the statement. "[It's] clear that attackers exploited a vulnerability in Facebook’s code that impacted 'View As', a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts."
That's right, almost 50 million accounts were vulnerable to this attack. As for how many were actually exploited?
"Fifty million accounts were directly affected,” explained Facebook VP of product management Guy Rosen on a Friday morning press call, “and we know the vulnerability was used against them."
"We did see this attack being used at a fairly large scale," added Rosen. "The attackers could use the account as if they are the account holder.”
The statement itself didn't provide much additional insight.
"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," continues the statement. "We also don’t know who’s behind these attacks or where they’re based."
Facebook says it's fixed the vulnerability, and that 90 million people may suddenly find themselves logged out of their accounts or various Facebooks apps as a result.
Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.
— Mark Warner (@MarkWarner) September 28, 2018
So, yeah, this is big.
"Security is an arms race," Facebook CEO Mark Zuckerberg dryly noted on the press call.
Facebook is working with law enforcement, and, at least for now, says you don't need to change your password. But maybe go ahead and log out of your account, everywhere, just to be safe.
"[If] anyone wants to take the precautionary action of logging out of Facebook, they should visit the 'Security and Login' section in settings," advises the warning. "It lists the places people are logged into Facebook with a one-click option to log out of them all."
So yeah, click through that link and log out of your account on all webpages and apps at once. After that, maybe think long and hard about whether it's even worth logging back in.
UPDATE: Sept. 28, 2018, 10:34 a.m. PDT This story has been updated with additional comments from Guy Rosen and Mark Zuckerberg.