Facebook Inc has discovered a security flaw affecting about 50 million user accounts which could have allowed attackers to take over the accounts, the social networking company said on Friday.
Facebook has since fixed the vulnerability and informed law enforcement, it said.
Attackers stole Facebook access tokens through its “view as” feature, which they could then use to take over people’s accounts. “View as” is a feature that allows users to see what their own profile looks like to someone else.
Facebook has reset the access tokens of the 50 million affected accounts, it said. As a precaution, the company has reset access tokens for another 40 million accounts that have looked up through the “view as” option in the last year.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” the company said in a blog post.
Facebook shares fell 3 percent to $163.78 in afternoon trading, weighing on major Wall Street stock indexes.
About 90 million people will have to log back in to Facebook or any of their apps that use a Facebook login, the company said.
Facebook also said it was temporarily turning off the “view as” option.