Guy Rosen, Facebook VP of Product Management disclosed a security vulnerability this morning that affected at least 50 million users and potentially upwards of 90 million.
The vulnerability was associated with Facebook’s “View As” feature that allowed attackers to steal Facebook access tokens. These access tokens were then used to log into the associated accounts without knowing their password, therefore, letting attackers download users’ private information, photos and videos. Although all user accounts were capable of being attacked, Facebook estimates 50 million private profiles were possibly accessed. The vulnerability has been patched and Facebook has logged out over 90 million users in order to reset their access tokens. Facebook staff also said no posts were made on users’ accounts and currently no sign of stolen credit card information has been uncovered.
Since no password information was stolen, the only action potentially required by users is to logout. If you weren’t automatically logged out, you should log out in order to reset your access token. More updates are sure to be released as the investigation continues.