Facebook Uncovered a New Hack That Affected 50 Million Accounts

This is the biggest data breach the company has seen since Cambridge Analytica.

Ting Shen/Xinhua/ZUMA Wire

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.

On Friday, Facebook announced it had discovered a security breach that had affected at least 50 million accounts. The company told reporters the breach was first discovered Tuesday after an investigation was launched earlier this month when engineers noticed “suspicious” activity on the platform. The original security vulnerabilities, which allowed hackers to access user accounts, were traced back to a video feature introduced in June 2017 that allowed users to share “Happy Birthday” videos.

The security breach allowed hackers to log in to user accounts through stolen “access tokens,” which are saved to browsers so users may remain logged onto the site. Facebook says the attack affected 50 million accounts that had used its “View As” feature, which allows users to see what their own profile looks like to someone else. An additional 40 million accounts that used the site’s “View As” feature were also logged out, though Facebook said it has not determined that hackers accessed those accounts. Access was also reset for Instagram and Occulus accounts linked to Facebook.

Guy Rosen, Facebook’s vice president of product management, told reporters Friday the company notified the FBI and Irish Data Protection Commission on Wednesday. By Thursday night, the vulnerability was fixed.

But much is still unknown about who is behind the attack or their intentions. Rosen told reporters that hackers were only able to access user profile information—such as gender, location, and date of birth—and no passwords or credit card information were breached. Rosen also told reporters Facebook was unable to say if the hackers targeted users in a specific region, or how many of the accounts breached were actually used by hackers. “We don’t know exactly if they’re using just those, or if it’s a part of a set of steps they may be taking in the future,” Rosen said.

Facebook declined to speculate if a nation state was involved with the attack or why certain profiles were targeted, but did say it was likely that automation was used due to the scale of the attack.

The hack comes months after it was revealed that a data breach allowed for political consulting firm Cambridge Analytica to access the private information of up to 87 million users, which has left the company scrambling to rebuild user trust. “Security is an arms race, and we’re continuing to improve our defenses,” Facebook CEO Mark Zuckerberg said during a press call Friday. “I think that this underscores there are constant attacks where people trying to take over accounts steal information in our community.”

So far, lawmakers have seemed unimpressed with the company’s response. While the Federal Trade Commission has not made any official announcement regarding the matter, FTC Commissioner Rohit Chopra tweeted, “I want answers.” Sen. Mark Warner (D-Va.), who as vice chair of the Senate Intelligence Committee has been leading the conversation about regulating technology companies after their role in foreign interference in the 2016 election, called the news “deeply concerning.”

“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before—the era of the Wild West in social media is over,” Warner said in a written statement.

The news comes just days after representatives from companies including Facebook, Twitter, and Amazon testified in front of the Senate Committee on Commerce, Science, and Transportation to discuss different approaches to better safeguarding consumer data.

This article has been updated.


Headshot of Editor in Chief of Mother Jones, Clara Jeffery

It sure feels that way to me, and here at Mother Jones, we’ve been thinking a lot about what journalism needs to do differently, and how we can have the biggest impact.

We kept coming back to one word: corruption. Democracy and the rule of law being undermined by those with wealth and power for their own gain. So we're launching an ambitious Mother Jones Corruption Project to do deep, time-intensive reporting on systemic corruption, and asking the MoJo community to help crowdfund it.

We aim to hire, build a team, and give them the time and space needed to understand how we got here and how we might get out. We want to dig into the forces and decisions that have allowed massive conflicts of interest, influence peddling, and win-at-all-costs politics to flourish.

It's unlike anything we've done, and we have seed funding to get started, but we're looking to raise $500,000 from readers by July when we'll be making key budgeting decisions—and the more resources we have by then, the deeper we can dig. If our plan sounds good to you, please help kickstart it with a tax-deductible donation today.

Thanks for reading—whether or not you can pitch in today, or ever, I'm glad you're with us.

Signed by Clara Jeffery

Clara Jeffery, Editor-in-Chief

payment methods

We Recommend