NEW YORK — Facebook announced on Friday that its engineers discovered a security issue on Tuesday that affected nearly 50 million accounts. In a news release, Facebook says attackers exploited code the impacted the “View As” feature, which allows users to see what their profile looks like to someone else.
The hackers were able to steal access tokens, which allowed them to take over affected users’ accounts. The company says access tokens are digital keys that keep users logged in so they don’t have to re-enter their passwords each time they try to log on.
In addition to notifying law enforcement, Facebook says it’s reset those access tokens, and preemptively reset another 40 million tokens that used “View As” in the past year.
Around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
It’s also temporarily disabled the “View As” feature for a security review.
Facebook says it doesn’t know who’s behind the attacks, and doesn’t yet know whether the accounts accessed were misused or had information compromised.