While Americans were — very reasonably — distracted by some major news, Facebook was experiencing a security breach that involved around 50 million accounts, as reported by the New York Times. The breach was found on Tuesday, the way the hackers got in was repaired, and Facebook contacted law enforcement. Because of the type of hacking, it would have allowed those behind it to takeover users' accounts.
The 50 million accounts affected had their access tokens, which allow users to stay logged in without re-entering their password each time, reset. Forty million other accounts were also reset as a precaution. As CNBC points out, while this is 90 million accounts in total, that is only four percent of the total active Facebook accounts as that number is around 2.23 billion.
According to a press release from Facebook, the 90 million users will have to re-enter their password to log back in and when they do, they will see a message at the top of the page explaining what happened. Facebook also explains that because the breach occurred via code related to the "View As" feature, which shows viewers what their page looks like to the public, that feature has been shut down while the security review is in progress. Anyone who used "View As" in the past year has been logged out.
The release goes on to explain, "Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based."
Facebook also adds that if it's found that more accounts were affected, their access tokens will be reset, as well. The company notes that users don't need to reset their passwords, but that if people want to log out and back in as a precaution, they can do that. (The site provides further instructions for users who want to do that and who are logged into through multiple interfaces.)
Facebook CEO Mark Zuckerberg commented on the situation on his own Facebook account with a message similar to the press release. He also shared, "We face constant attacks from people who want to take over accounts or steal information around the world. While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place."
The news of the Facebook breach comes soon after a Taiwanese hacker, Chang Chi-yuan, claimed he figured out how to delete Zuckerberg's account and would do so on a live stream. As Bloomberg reports, as of Friday he's changed his mind. He told the publication, "I am canceling my live feed, I have reported the bug to Facebook and I will show proof when I get bounty from Facebook."
As made clear in the statement from Facebook, there is currently no connection between these two hacking incidents as the company does not yet know who was behind the breach.