Facebook Inc. has discovered a security flaw affecting about 50 million user accounts which could have allowed attackers to take over those accounts, the social networking company said on Friday.
Facebook, which has more than 2 billion monthly active users, has since fixed the vulnerability and informed law enforcement, it said.
Attackers stole Facebook access tokens through its “view as” feature, which they could then use to take over people’s accounts. “View as” allows users to see what their own profile looks like to someone else.
“We do not currently have any evidence that suggests these accounts have been compromised,” Chief Executive Officer Mark Zuckerberg said in a Facebook post.
Facebook shares fell more than 3 percent in afternoon trading, weighing on major Wall Street stock indexes.
Facebook has reset the access tokens of the 50 million affected accounts, and as a precaution, reset access tokens for another 40 million that have been looked up through the “view as” option over the last year.
About 90 million people will have to log back in to Facebook or any of their apps that use a Facebook login, the company said.
Facebook is also temporarily disabling “view as”.
The company would need to continue developing new tools to make its accounts more secure and prevent similar incidents, he added.
Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy.
In 2013, Facebook disclosed a software flaw that exposed 6 million users’ phone numbers and email addresses to unauthorized viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.