Nearly 50 million Facebook accounts hit in worst security breach

Facebook has discovered a security flaw affecting about 50 million user accounts which could have allowed attackers to take over those accounts, the social networking company said on Friday.

SAN FRANCISCO • Facebook has said that hackers stole digital login codes allowing them to take over nearly 50 million user accounts in its worst security breach ever, given the unprecedented level of potential access.

It adds to what has been a difficult year for the company's reputation.

Facebook, which has more than 2.2 billion monthly users, said on Friday it has yet to determine whether the attacker misused any accounts or stole private information. It also has not identified the attacker's location or whether specific victims were targeted.

Its initial review suggests the attack was broad in nature.

Chief executive Mark Zuckerberg described the incident as "really serious" in a conference call with reporters.

His account was affected, along with that of chief operating officer Sheryl Sandberg, a spokesman said.

Facebook made headlines earlier this year after profile details from 87 million users were improperly accessed by political data firm Cambridge Analytica. The disclosure has prompted government inquiries into the company's privacy practices across the world, and fuelled a "#deleteFacebook" social movement among consumers.

United States lawmakers said on Friday that the hack may boost calls for data privacy legislation.

"This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users," Democratic US Senator Mark Warner said in a statement.

Facebook's latest vulnerability had existed since last July, but the company first identified it on Tuesday after spotting a "fairly large" increase in use of its "view as" privacy feature on Sept 16, executives said.

"View as" allows users to verify their privacy settings by seeing what their own profile looks like to someone else.

The flaw inadvertently gave the devices of "view as" users the wrong digital code which, like a browser cookie, keeps users signed in to a service across multiple visits.


That code could allow the person using "view as" to post and browse from someone else's Facebook account, potentially exposing private messages, photos and posts.

The attacker also could have gained full access to victims' accounts on any third-party app or website where they had logged in with Facebook credentials.

Facebook fixed the issue on Thursday. It also notified the US Federal Bureau of Investigation, Department of Homeland Security, congressional aides and the Data Protection Commission in Ireland, where the company has European headquarters.

Two Facebook users sued the company over the breach in federal court in California on Friday.

More than 6,000 users complained about the breach on Mr Zuckerberg's Facebook page.

"I'm so scared now. All my activities are on Facebook," said Mr Mohammad ZR Zia, a 25-year-old college student in Kuala Lumpur, who has been using the social media platform since 2009.


A version of this article appeared in the print edition of The Sunday Times on September 30, 2018, with the headline 'Nearly 50 million Facebook accounts hit in worst security breach'. Subscribe