Facebook revealed on Friday that it discovered a hack affecting the accounts of 50 million users.
The company said that hackers had exploited a vulnerability affecting those users, but it hasn’t determined what information might have been accessed.
“This is a real serious security issue and we’re taking it really seriously,” Facebook CEO Mark Zuckerberg said on a call with reporters. “It definitely is an issue that this happened in the first place.”
{mosads}Facebook said that hackers had attacked a vulnerability in their software related to the “View As” feature, which lets users look at their own profiles from a third-party’s perspective. The company said it’s fixed the vulnerability and turned the feature off as a precaution.
The vulnerability was introduced into Facebook’s system in July of 2017 when the company overhauled the “View As” feature. On September 16, Facebook says that it found unusual activity on its platform and launched an investigation, ultimately identifying the vulnerability and the intrusion on Tuesday.
The announcement comes at an awkward time for Facebook, which is still struggling to rebuild its reputation after the Cambridge Analytica data scandal earlier this year, which Zuckerberg had to answer for on Capitol Hill.
And it comes as Congress is preparing a national privacy bill that the tech industry is hoping will prevent states from passing their own data collection laws like California did this summer.
The 50 million users affected by the hack will have to log back into their accounts manually and will be notified of the incident. Another 40 million users who had used the feature will also have to be logged back in.
The hackers were able to steal “access tokens,” which essentially allowed them to enter an account. Facebook said it’s still unsure who carried out the attack but that finding the vulnerability would have been a complex task.
Earlier on Friday, a Taiwanese hacker backed down from plans to livestream a hack of Zuckerberg’s account on Sunday. Facebook said it didn’t know if the incident was related to that hacker or the vulnerability he had identified.
The hack also comes a month after Alex Stamos, Facebook’s highly regarded chief security officer, left the company for a position at Stanford University.
In a statement on Friday, Sen. Mark Warner (D-Va.), who as the top Democrat on the Senate Intelligence Committee has been critical of Facebook’s response to Russian online disinformation campaigns, called Friday’s announcement “deeply concerning” and called for a full public investigation.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Warner said, referring to the credit bureau that had been hacked last year, exposing 145.5 million people.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” he added. “As I’ve said before – the era of the Wild West in social media is over.”
Updated at 2:25 p.m.