(Credit: rvlsoft/Shutterstock)

In the wake of reports that Facebook is selling ads based on the phone number that you provide to protect your account with two-factor authentication, the company is now reporting a hack affecting 50 million accounts that required the social-networking giant to log all of those users out of Facebook. The company is also extending this move to an additional 40 million accounts that may or may not have been affected.

SEE: Twitter CEO Jack Dorsey: "We have definitely been utilized to manipulate people"

Guy Rosen, vice president of product management, broke the news on Facebook: "This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted "View As." The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."

Access tokens are "digital keys" and part of how Facebook verifies that an unauthorized person isn't gaining access to your account. But Rosen said that the vulnerability has been fixed, and law enforcement has been notified.

He adds that it's not necessary to change your password as a result of this hack. "But people who are having trouble logging back into Facebook -- for example because they've forgotten their password -- should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the 'Security and Login' section in settings. It lists the places people are logged into Facebook, with a one-click option to log out of them all."

FOLLOW Download.com on Twitter for all the latest app news.

"View As" is a feature for your Facebook profile page that lets you see how the page appears to the public and to your friends, versus how it appears to you. This allows you determine how much of your personal information is findable in a search engine or on Facebook itself. Rosen says that the company has turned off View As until it's gotten to the bottom of the issue.

Rosen warns, "Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don't know who's behind these attacks or where they're based."

He did not provide any characterizations of the affected user group -- geographic region, political affiliations, income, educational level, age -- so we can only speculate on what ties them all together, if anything.

The takeaways

  • Facebook has announced that 50 million accounts have been breached by a security vulnerability related to its "View As" feature. The breach has been repaired, and the authorities have been notified.
  • All 50 million accounts have been logged out by Facebook. These users will need to sign in again.
  • An additional 40 million accounts may or may not have been affected, and they have been logged out as a precaution as well.
  • The company says that you do not need to change your password as a result of this hack.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.