Facebook Inc. has uncovered an attack on its network by hackers who accessed the accounts of tens of millions of users. The revelation is likely to bring more public scrutiny to the social media giant as it scrambles to convince regulators and investors that it can protect its platform from abuse.
Facebook said it detected the security breach on Tuesday after it noticed an unusual spike in user activity earlier in the month. Hackers had been able to exploit a series of vulnerabilities in Facebook’s code to gain control over as many as 50 million user accounts.
The company said it had not yet determined the identity or location of the attackers, or whether the hackers had actually misused any of the accounts they accessed. Executives said they had found no evidence that hackers had posted content to people’s Facebook pages, or read users’ private messages, but stressed their investigation was still in its early days. Facebook said the attack appeared to affect its user base broadly, rather than targeting users in a specific country.
“This is a really serious security issue and we’re taking it really seriously,” chief executive officer Mark Zuckerberg told reporters on a conference call Friday. “The reality here is we face constant attacks from people who want to take over accounts and steal information … we need to do more to prevent this from happening in the first place.”
The company said it had notified the FBI as well as Irish data protection authorities responsible for enforcing European digital privacy laws enacted earlier this year. As a precaution, Facebook said it had logged the 50 million users out of their accounts, along with another 40 million people who had used the hacked features in the past year.
The security breach is a significant setback for Facebook’s efforts to convince lawmakers and regulators that it can self-police its platform and protect the safety of its more than two billion users.
The social network is facing multiple U.S. federal investigations amid a series of privacy, data-misuse and political interference scandals.
U.S. regulators and lawmakers lashed out at the company over its latest scandal on Friday.
“I want answers,” U.S. Federal Trade Commissioner Rohit Chopra wrote in Twitter. The Irish Data Protection Commission issued a statement condemning the Silicon Valley company for not providing enough details about the breach and “pressing Facebook to urgently clarify these matters.”
Senator Mark Warner, the ranking Democrat on the U.S. Senate intelligence committee, demanded a full, transparent investigation into the security breach.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” he tweeted. “As I’ve said before – the era of Wild West in social media is over.”
Facebook said the security breach involved hackers who had been able to exploit a bug in the code of a feature known as “View As,” which allowed users to see how their profiles looked to other Facebook users depending on how they had set up their privacy settings. Hackers were able to exploit the View As tool through other bugs in the platform, including one to a video uploading tool that Facebook introduced on its platform last July and a feature that allows users to remain logged into their Facebook pages over multiple sessions without having to re-enter their passwords. The company warned that the hackers had also potentially gained to some third-party apps that allow their users to login through their Facebook accounts, including Facebook-owned Instagram.
Facebook said it had fixed the bugs and temporarily shut down its View As feature.
“This is a complex interaction of multiple bugs that happened together,” said Guy Rosen, an executive who helps oversee security at Facebook. The attack required a level of technical sophistication and occurred on a large scale, he said.
Facebook’s share price fell 2.8 per cent on Friday. The company’s stock has slid more than 20 per cent since July on the heels of a disappointing earnings report showing that user growth had stagnated in the United States and Canada.
The security breach is the latest in a stream of negative news for the company. Earlier this week, the founders of Facebook-owned Instagram, the popular photo-sharing app, left the company amid speculation they had clashed with Mr. Zuckerberg. Brian Acton, co-founder of WhatsApp, told magazine this week that he left the company last year in part over disagreements about Facebook’s plans to sell advertising on the encrypted messaging platform and because he felt it had misled European Union antitrust regulators about its plans to share data between Facebook and WhatsApp.
Facebook had also reorganized its security team shortly before it revealed the data breach this week, after its chief security officer left the company last month. Mr. Rosen said the reorganization had boosted the company’s security efforts and helped Facebook identify the attack earlier than it may have in the past.
“The harder you look the more you will find,” he said. “So we are looking and we are finding and we are responding fast.”