In an official blog post, Facebook has confirmed that at least 50 million user accounts have been affected due to a newly discovered security flaw.
The bug that has wrecked this havoc is related to Facebook’s “View As” feature, which allows you to view your profile as seen by some other user. By exploiting this flaw, the attackers were able to grab the access tokens and take control of user accounts.
The blog post mentions that while the investigation is in the early stages, the bug has been fixed and the law enforcement has been informed; The “View As” feature has also been temporarily turned off.
Further, to ensure the safety of the users, the access tokens of the affected 50 million accounts have been reset. This could result in you logging out of Facebook or any other app that uses Facebook login. If it happens to you, it means that your account was affected. After logging back in, you’ll also see a notification from Facebook explaining the issue.
According to the Associated Press, CEO Mark Zuckerberg’s own account was also compromised in the attack. He has also shared a lengthy Facebook post regarding the breach:
I want to update you on an important security issue we've identified. We patched the issue last night and are taking…
Going deeper, the blog post also explains the root cause of the bug. Due to some changes made in the video uploading feature, it caused multiple issues in the code. “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” it adds.
You can read the complete post here.