On Friday, Facebook announced it had discovered a security breach that had affected at least 50 million accounts. The company told reporters the breach was first discovered Tuesday after an investigation was launched earlier this month when engineers noticed “suspicious” activity on the platform. The original security vulnerabilities, which allowed hackers to access user accounts, were traced back to a video feature introduced in June 2017 that allowed users to share “Happy Birthday” videos.
The security breach allowed hackers to log in to user accounts through stolen “access tokens,” which are saved to browsers so users may remain logged onto the site. Facebook says the attack affected 50 million accounts that had used its “View As” feature, which allows users to see what their own profile looks like to someone else. An additional 40 million accounts that used the site’s “View As” feature were also logged out, though Facebook said it has not determined that hackers accessed those accounts. Access was also reset for Instagram and Occulus accounts linked to Facebook.
Guy Rosen, Facebook’s vice president of product management, told reporters Friday the company notified the FBI and Irish Data Protection Commission on Wednesday. By Thursday night, the vulnerability was fixed.
But much is still unknown about who is behind the attack or their intentions. Rosen told reporters that hackers were only able to access user profile information—such as gender, location, and date of birth—and no passwords or credit card information were breached. Rosen also told reporters Facebook was unable to say if the hackers targeted users in a specific region, or how many of the accounts breached were actually used by hackers. “We don’t know exactly if they’re using just those, or if it’s a part of a set of steps they may be taking in the future,” Rosen said.
Facebook declined to speculate if a nation state was involved with the attack or why certain profiles were targeted, but did say it was likely that automation was used due to the scale of the attack.
The hack comes months after it was revealed that a data breach allowed for political consulting firm Cambridge Analytica to access the private information of up to 87 million users, which has left the company scrambling to rebuild user trust. “Security is an arms race, and we’re continuing to improve our defenses,” Facebook CEO Mark Zuckerberg said during a press call Friday. “I think that this underscores there are constant attacks where people trying to take over accounts steal information in our community.”
So far, lawmakers have seemed unimpressed with the company’s response. While the Federal Trade Commission has not made any official announcement regarding the matter, FTC Commissioner Rohit Chopra tweeted, “I want answers.” Sen. Mark Warner (D-Va.), who as vice chair of the Senate Intelligence Committee has been leading the conversation about regulating technology companies after their role in foreign interference in the 2016 election, called the news “deeply concerning.”
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before—the era of the Wild West in social media is over,” Warner said in a written statement.
The news comes just days after representatives from companies including Facebook, Twitter, and Amazon testified in front of the Senate Committee on Commerce, Science, and Transportation to discuss different approaches to better safeguarding consumer data.
This article has been updated.