Facebook CEO, Mark Zuckerberg‘s account is among those compromised in the hacking that has left the tech giant facing a major security breach, reported Associated today, 29 September.
The incident, which allowed 50 million user accounts to be accessed by unknown attackers is the latest setback for Facebook, during a tumultuous year of security problems and privacy issues for the social media platform.
The hack involved bugs in Facebook’s “View As” feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal the digital keys, known as “access tokens,”, possession of which allowed them to control those accounts.
Guy Rosen, Facebook’s Vice President of product management, said that one of the bugs was more than a year old and affected how the “View As” feature interacted with Facebook’s video uploading feature for posting “happy birthday” messages, according to AP.
Rosen also admitted that Facebook only noticed the uptick in unusual activity in mid-September and only learned of the attack this week.
The tech giant also stated that it has not yet been able to determine who was behind the attack.
“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Rosen said in a call with reporters.
“It does seem broad. And we don’t yet know who was behind these attacks and where they might be based.”
Facebook confirmed on Friday that third party apps, as well as its own Instagram app, could have been affected.
However, neither passwords nor credit card data was stolen, Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe.
Jake Williams, a security expert at Rendition Infosec, told AP that he is concerned that the hack could have affected third party applications.
Williams noted that the company’s “Facebook Login” feature lets users log into other apps and websites with their Facebook credentials.
“These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site,” he said.>