Facebook finds that the security breach affects nearly 50 million accounts

Chief Executive Mark Zuckerberg said Facebook did not have evidence that attackers had accessed private messages and user posts, or had been published as users. But he did not exclude this possibility. "The investigation is still very early and we do not know yet if one of the accounts has been misused," he said. "Of course, that can change."

Zuckerberg and Chief Operating Officer Sheryl Sandberg were among those affected by the violation, Facebook said.

Leaders said the attack was sophisticated, forcing hackers to find and exploit three obscure loopholes in its code. They said that it would be difficult to determine who was behind all this. "And we may never know," said Guy Rosen, head of security at Facebook.

Facebook said Friday that he was still investigating the extent of the violation. Security researchers have warned that this could ultimately have a much wider impact.

This breach is the latest setback for the world's largest social network, which has been criticized by Congress for its mismanagement of a two-year Russian influence operation on its platform. In March, the company said the data from millions of users had been inappropriately shared with Cambridge Analytica, the now-defunct analyst company linked to President Trump's 2016 campaign.

The revelation comes months after Facebook revised its security team and eliminated the role of security officer. The news also comes a little over a month before the mid-term elections of 2018, a period during which Facebook will be subject to scrutiny to protect its platform from foreign interference.

Facebook shares fell 2.6% on Friday to close at $ 164.46.

Facebook has reported working with the Federal Bureau of Investigation to determine the identity of hackers. "The FBI has been in contact with Facebook and we are aware of the situation. We refuse to provide more details at the moment, "said an FBI representative.

Facebook said that all users suspected of being affected by the violation were automatically logged out of their account Thursday night Pacific time and had to reconnect. Users who are not logged out of their account are not supposed to have been affected. Facebook also indicated that there would be a notification at the top of news feeds of affected users that would appear once they reconnected to their accounts.

Hackers gained access to accounts by exploiting a vulnerability in Facebook's "show as" feature, which allows users to see how their profiles appear to others. Three bugs in the Facebook code connected to the feature allow strangers to steal access tokens – digital keys that allow users to stay connected to Facebook. One of the bugs appeared in a Facebook tool prompting users to download a video in which they wished a happy birthday, said executives.

With the stolen chips, said Facebook, hackers could steal accounts, pretend to be users and access private information about these people and their friends, including Facebook connections, publications and messages from these users. Facebook executives said that there was no evidence that this was happening, nor that the users' passwords and credit card information were exposed.

Nevertheless, the flaw allowed hackers to gain access to information that could be used for identity theft, said Dan Kaminsky, chief scientist of security provider White Ops Inc. The hackers could also have sold the chips to them. himself, he said.

Facebook's authentication tokens can be used to connect to websites other than Facebook, said Mr. Kaminsky, via the "Connect with Facebook" feature used by sites such as Tinder and Spotify. A spokesman for Facebook said it was technically possible, but that Facebook had no proof that this had happened. Some affected users have been disconnected from third-party applications as a precautionary measure, the spokesman said.

The spokesman said that Facebook had never had such an important security breach. The company reset the access tokens for the approximately 50 million accounts involved, as well as an additional 40 million subject to a "consultation as" last year.

Facebook said that it disabled the "show as" feature when performing a security review. The fact that the bug was exploited by hackers makes the breach more serious than other security incidents, Kaminsky said. "We often find bugs and no one has found them yet," he said. "This is not the case here."

The revelation Friday closed a difficult week for Facebook.

On Monday, the two co-founders of his famous Instagram app abruptly resigned after clashing with Mr. Zuckerberg about the autonomy of the app. Similar issues have pushed Facebook's WhatsApp co-founders to leave.

In Washington Friday, the violation prompted a request for additional information from Rohit Chopra, a Democratic Commissioner at the Federal Trade Commission, as well as a call for legislation on social media from Senator Mark Warner (D., Va.)

A Senate committee heard testimony this week on the confidentiality of data from several technology companies, including:

Alphabet
Inc.

Google and

Twitter
Inc.

Facebook did not participate.

Facebook's ability to control its data has been questioned. In addition to the inappropriate sharing of data with around 87 million people at Cambridge Analytica, Facebook said earlier this year that most social network users might have had information extracted by marketers who used a feature to distribute the data. profile data connected to email addresses and phone numbers.

-Dustin Volz
contributed to this article.

Write to Deepa Seetharaman at [email protected] and Robert McMillan at [email protected]