On Friday, Facebook disclosed a security flaw that could affect up to 50 million users.
The flaw affected Facebook’s “View as” feature, in which users can look at their own account as if they were another individual, allowing them to see exactly how their privacy and security settings affect their appearance to Facebook friends or non-connected acccounts.
The vulnerability seems to have arisen with an inadvertent exposure of security tokens when this feature was used, allowing an attacker to gain access to a user’s account. Security tokens allow users to log into their accounts without retyping their password again and again, and are widely used on many websites.
In a statement the social media giant said it was unclear whether the vulnerability had actually been exploited, when such an attack might have occurred or who might be behind it. In short, they don’t know a lot.
The company said it had both fixed the vulnerability and informed law enforcement of its existence.
In their statement, they outlined why users would now be forced to log in again:
Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
The “View as” function has now been disabled while Facebook conducts an investigation into how the vulnerability occurred and whether or not it was exploited.
The company also attempted to minimise user panic, by re-stating their commitment to security:
People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center.