In a statement released Friday, the company said that attackers could use Facebook’s “view as” tool – which lets a user see what their profile looks like to other users – to steal other users’ access tokens – digital keys that allow a user to stay logged into the social network without re-entering their password every time.
The issue was discovered by Facebook engineers on Tuesday, and Facebook said on Friday that it’s fixed the vulnerability, reset 50 million affected users’ access tokens, and informed law enforcement. The company reset a further 40 million users’ tokens as a precaution, bringing the total number of accounts affected in some way to 90 million.
“We have yet to determine whether these accounts were misuses or any information accessed,” read Facebook’s statement. “We also don’t know who’s behind these attacks or where they’re based,” the statement continued.
The company then repeated a phrase it’s used repeatedly in 2018: “we’re sorry.” Facebook’s year of apologizing began in March when it was revealed that some 90 million users had their private data – including their personal messages – leaked to political research firm Cambridge Analytica.
From there, the company has been rocked by scandal after scandal, including multiple accusations of privacy infringement and politically-motivated censorship, and CEO Mark Zuckerberg found himself hauled in front of Congress in the US and the European Parliament in Brussels to assure lawmakers that his company takes privacy seriously.
Facebook’s latest privacy breach comes only one day after the social media behemoth confirmed that it uses phone numbers – provided by users for authentication and security purposes – to target advertisements.
The company admitted that it shares “shadow contact” information, such as a phone number provided to Facebook for security reasons but not publicly displayed on a user’s page, or phone numbers of users’ friends, to advertisers. One year beforehand, Facebook denied this practice.