By Munsif Vengattil, Arjun Panchadar and Paresh Dave
(Reuters) – Facebook Inc said on Friday that hackers had discovered a security flaw that allowed them to take over up to 50 million user accounts, a major breach that adds to a bruising year for the company’s reputation.
Facebook, which has more than 2 billion monthly active users, said it has been unable to determine yet whether the attackers misused any of the affected accounts or stole private information.
Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy. The disclosure has prompted government inquiries into the company’s privacy practices across the world, and fueled a “#deleteFacebook” movement among consumers.
Shares in Facebook fell more than 3 percent in afternoon trading, weighing on major Wall Street stock indexes.
The latest vulnerability had existed since July 2017, but Facebook did not discover it until this month when it spotted an unusual increase in use of its “view as” feature.
“View as” allows users to see what their own profile looks like to someone else. The flaw inadvertently issued users of the tool a digital code, similar to browser cookie, that could be used to post from and browse Facebook as if they were someone else.
The company said it fixed the issue on Thursday. It also notified the U.S. Federal Bureau of Investigation, Department of Homeland Security and Irish data protection authority about the breach.
Facebook reset the digital keys of the 50 million affected accounts, and as a precaution reset those keys for another 40 million that have been looked up through the “view as” option over the last year.
About 90 million people will have to log back into Facebook or any of their apps that use a Facebook login, the company said.
Facebook is also temporarily disabling “view as,” it said.
In 2013, Facebook disclosed a software flaw that exposed 6 million users’ phone numbers and email addresses to unauthorized viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.
(Reporting by Munsif Vengattil and Arjun Panchadar in Bengaluru, Paresh Dave in San Francisco; Editing by Sai Sachin Ravikumar and Meredith Mazzilli)