By Mike Isaac and Sheera Frenkel
SAN FRANCISCO — Facebook said on Friday that an attack on its computer network had exposed the personal information of nearly 50 million users.
The company said it discovered the breach this week. The attackers exploited a feature in Facebook’s code that allowed them to take over user accounts. Early Friday, Facebook forced more than 90 million users to log out of their accounts, a common safety measure taken when accounts have been compromised.
Facebook said it had fixed the vulnerability and notified law enforcement officials.
“We’re taking it really seriously,” Mark Zuckerberg, the company’s chief executive, said in a conference call with reporters. “I’m glad we found this, but it definitely is an issue that this happened in the first place.”
Facebook said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack. Its investigation is still in its beginning stages, it said.
The attackers exploited two bugs in the site’s “view as” feature, which allows users to view their own profiles as if they were someone else, Facebook said. The feature was built to give users more control over their privacy.
That was compounded by a flaw in Facebook’s video-uploading program, a software feature that was introduced in July 2017, the company said. The flaw allowed the attackers to steal so-called access tokens — digital keys that allow access to an account.
It is not clear when the attack happened, but it appears to have occurred after the video-uploading program was introduced.
[Read more about what you can do to secure your Facebook account.]
The attack was discovered as Facebook continued to contend with the aftermath of its role in a widespread Russian disinformation campaign during the 2016 presidential election and from the fallout of the Cambridge Analytica scandal, in which a British consulting firm improperly harvested the personal data of up to 87 million Facebook users. The company also faces the prospect of federal regulation amid questions about whether it has grown too powerful.
One of Facebook’s primary challenges has been convincing users that it can responsibly handle the incredible wealth of data it has access to. More than two billion people use Facebook every month; two billion also use WhatsApp, a Facebook-owned messaging app, and Instagram, the Facebook-owned photo-sharing app.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Mr. Zuckerberg said in a statement regarding Cambridge Analytica this year.
Even before the disclosure on Friday, Facebook was caught up in multiple federal investigations of its data-sharing and privacy practices. The Securities and Exchange Commission has opened an inquiry into the company’s statements about the Cambridge Analytica episode.
Facebook insists that it has instituted strict data-sharing policies with third parties, and has scaled back the amount of data it agrees to share with developers. The company suspended access to more than 400 third-party apps after an audit of the thousands of outside apps connected to Facebook.
In the conference call on Friday, Guy Rosen, a vice president of product management at Facebook, declined to say whether the attack could have been coordinated by hackers supported by a nation-state. He said the attack was “complex,” and leveraged three separate bugs in Facebook’s code that, once compounded, provided widespread access to user accounts.
The hackers also tried to harvest people’s private information, including name, sex and hometown, from Facebook’s systems.
Facebook has been reshuffling its security teams since Alex Stamos, the chief security officer, left in August for a teaching position at Stanford University. Instead of acting as a stand-alone unit, security team members work more closely with product teams across the company. The move, the company said, is an effort to embed security across every step of Facebook product development.
Members of Congress immediately seized on the latest breach to criticize Facebook.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Senator Mark Warner, a Democrat from Virginia and one of Facebook’s most vocal critics in Congress, said in a statement. “A full investigation should be swiftly conducted and made public so that we can understand more about what happened.”