Facebook today said the site was hit last week with a massive security breach, after hackers were reportedly able to gain access to accounts belonging to as many as 50 million of the site’s users.

The breach was discovered on Tuesday by the social media network’s engineering team. The company said that hackers had exploited a vulnerability in the site’s “view as” feature, a privacy control that allows users to see what their profile looks like to others. A reported bug in this feature allowed attackers to steal “access tokens” — or digital keys that allow people to stay logged in after multiple sessions — which the hackers then allegedly used to take over users’ accounts.

Facebook said it has since fixed the vulnerability. Anyone affected by the breach was logged out of the network on Friday morning and prompted to re-log-in for security purposes.

“People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened,” Facebook said in a Friday statement on the newsroom portion of its site.


The company also said that it doesn’t currently know the attackers’ identity or their country of origin. An internal investigation into the matter is still in its early stages, and Facebook hasn’t yet fully assessed the scope of the attack, when it happened or what information was accessed from users’ accounts. It has notified the FBI about the breach and, per Europe’s new GDPR regulations, has informed the Irish Data Protection Commission.

“This is a really serious security issue. And we’re taking it really seriously,” Facebook CEO Mark Zuckerberg said today in a conference call with reporters. “We have a major security effort at the company that hardens all of our surfaces, and investigates issues like this. In this case, I’m glad that we found this and that we were able to fix the vulnerability and secure the accounts. But it definitely is an issue that this happened in the first place.”

The breach is the latest development in what has become an ongoing security drama for the company, coming only months after it was discovered that Trump-linked data analysis and political consulting firm Cambridge Analytica illicitly harvested the data of an estimated 87 million Facebook users in order to pitch them political messages in the months leading up to the 2016 presidential election.

Prior to that, the site had been excoriated for allowing Russia-backed propaganda outfits to purchase political ads and circulate millions of items of misleading content over the site’s news feed.

For its part, however, Facebook’s PR response to this latest crisis appears to be far more bullish and transparent than its role in previous scandals. The site announced the hack on its own volition today, beating the press to the story. The company was also on the ball in fixing the technical aspects of a problem it had learned about only three days before, a far cry from how Facebook handled the Cambridge Analytica leak, which the company had allegedly known about since 2015 yet never shared with the public until the press broke the story in early 2018.

“Facebook has finally learned from its mistakes in crisis communications,” Curtis Sparrer, co-founder and principal of Bospar, told O’Dwyer’s. “Instead of waiting months or years to disclose bad news to the public like they did in the past, Facebook did the right thing and alerted us now. Our research shows that most Americans expect companies like Facebook to reveal such breaches in a week’s time and actually reward companies for being responsive and transparent. We hope to see this trend continue.”