Facebook said on Friday that a recent data breach has compromised the personal information of some 50 million users.
The company says it discovered the breach this week. Hackers purportedly exploited a feature in the social media website’s code that allowed them to take over individual accounts en masse.
Facebook claims it’s already fixed the issue and is actively working with law enforcement to identify the culprits.
“We’re taking it really serious,” said Facebook chief executive Mark Zuckerberg. “We have a major security effort at the company that hardens all of our surfaces.
“I’m glad we found this,” he added. “But it is definitely an issue that this happened in the first place.”
The Times says that more than 90 million Facebook users were forced to log out of their accounts Friday morning—a common safeguard against hacking and unauthorized account access.
However, Facebook has yet to learn the origin or identity of the virtual attacks. Neither, for that matter, has the company determined exactly how many users were affected.
The investigation is, according to Zuckerberg, still in its beginning stages.
Facebook told reports and the Times that bug was related to the website’s ‘view as’ feature, ‘which allows users to view their own profiles as if they were someone else.’ That feature is one of several which is supposed to give users more control over their own privacy.
The ‘view as’ exploit was purportedly compounded by another in Facebook’s video-uploading program, which went into use last year.
Together, the flaws allowed attacks to steal what the Times terms ‘access tokens’—digital keys that let hackers mask a series of unauthorized entries.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘Views As,’ a feature that lets people see what their own profile looks like to someone else,” said Guy Rosen, Facebook’s vice president of product management. “This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access token are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
One of Facebook’s major challenges to date has been convincing the public that it’s capable of protecting their private information. Russian attempts to influence the 2016 U.S. presidential election cast doubt on the website’s ability to regulate the legitimacy of advertisers, who can target users within a desired demographic using Facebook’s marketing tools.
Another scandal concerned Cambridge Analytica, a British consulting firm accused of improperly harvesting the personal data of close to 87 million Facebook users.
In total, The Times says that more than two billion people use Facebook every month.
Along with Facebook, another two billion regularly use WhatsApp, a messaging application acquired by the company in 2014. Facebook also owns Instagram.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg said earlier in the year.