The disclosure prompted new threats of investigations into the social network by at least one state attorney general and by Irish authorities who protect the interests of European users.
Facebook did not say how many accounts had been taken over through the vulnerability.
Guy Rosen, Facebook’s vice president of product management, said on a phone call with reporters that the attackers could have accessed not only the 50 million Facebook accounts, but also potentially any other services for which those people used their Facebook login.
The company in a blog post
said that someone had used the vulnerability to attack its network, although it did not know who was behind the attempt. Facebook said it had yet to determine whether any accounts were misused or if any information was improperly accessed.
“We’re continuing to look into this and we’ll update when we know more,” Facebook CEO Mark Zuckerberg said on a call with reporters.
Zuckerberg’s own account was compromised in the attack, as was the account of Sheryl Sandberg, the company’s chief operating officer, the company said.
The flaw in Facebook’s code was related to the site’s “view as” feature, which lets people see what their own profile looks like to someone else. Facebook said it had disabled the feature for now and was resetting the digital keys — known as “access tokens” — that the 50 million people use to log in, as well as the digital keys of another 40 million accounts that had been “subject” to a “view as” look-up in the past year.
Facebook noted that the affected users would have to log in to their accounts and would receive a notification at the top of their News Feed.
The attackers did not take passwords or credit card information, the company said.
The vulnerability had roots in a July 2017 update to Facebook that involved the ability to upload birthday videos, according to the company. When those videos showed up on people’s pages using the “view as” feature, access tokens were exposed, Facebook said.
Facebook said it had fixed the vulnerability since discovering it on Tuesday, and had also informed law enforcement including the FBI and Ireland’s data protection commission. Facebook serves its European users from a regional headquarters in Ireland.
The Irish Data Protection Commission expressed frustration at the lack of details coming from Facebook.
The agency said in a statement it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.” It said it would continue to press the company “to clarify these matters further as a matter of urgency.”
Facebook said it had fixed the vulnerability since discovering it on Tuesday, and had also informed law enforcement authorities.