A post in Facebook’s newsroom today outlines a hack discovered by Facebook engineers Tuesday that exploited code in the “View As” feature, which allows people to see what their own profiles look like to someone else.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook Vice President of Product Management Guy Rosen wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Rosen says the code has been rewritten to eliminate the security vulnerability.
The “View As” feature has also been temporarily disabled while Facebook investigates the hack and looks to identify who was responsible for the breach.
Facebook has also reset the “access tokens” for 90 million Facebook users, which simply means they have to log back in to Facebook or into any of their apps that use the Facebook login.
After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen writes. “People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords.”
You can read the full Facebook statement here.