On Tuesday, 25 September Facebook was dealt its most massive security breach that sent shockwaves worldwide. 50 million of its users’ accounts had been left compromised, including that of its CEO Mark Zuckerberg and its COO Sheryl Sandberg via a major hack through a weakness in its “View As” feature that is part of the Facebook profile page with another 40 million accounts suspected to have been susceptible to the same security breach.

This latest security breach is by far the most widespread and most damaging as it enabled attackers to directly take over the control of the user’s Facebook account and left the users’ personal information exposed. The social media giant had been prompted to the breach by a sudden suspicious surge in user log-in on Sunday, 16 September. 9 days later on Tuesday, 25 September, its engineers discovered the largest security breach in the company’s history.Facebook said that the hack allowed the attacker to see everything in the account that had been hacked but was not sure if it included private messages.

Hackers preyed upon the vulnerability of the “View As” feature that is available on the account user’s profile page. This feature allowed users to view their profile page the same way that others would be able to look at it. Through its investigations, Facebook engineers found out that hackers exploited a series of bugs related to the “View As” feature to generate access tokens. This was a tool that enabled hackers to stay logged in without having to key in the required password every time they wanted to access the Facebook accounts. In fact, Guy Rosen, Vice-President of Product Management at Facebook confirmed that the shocking discovery of the breach also included other applications and sites that users had accessed using their Facebook accounts, making this latest security threat the most widespread Facebook had ever encountered. So dire was the security problem that it was said that the giant company had initially blocked the breaking stories about the major breach. Facebook, however claims that it was done accidentally through the system branding the news as spam.

In order to counter and solve the huge security problem, Facebook had to log about 90 million of its users out of their accounts on Friday, 28 September. This was a measure taken to reset the access tokens on the 50 million accounts that were breached and for the additional 40 millions accounts that were at risk due to the “View As” function being used in the past year. The said feature has also been suspended by Facebook for the time being as it continues its investigations. Despite the attack, Facebook insisted that users plagued by the breach need not change their passwords, a move some users brand as absurd and irresponsible considering the far-reaching consequences of users’ confidential information being left exposed to hackers.

Facebook is said to be facing intense scrutiny in Europe under the General Data Protection Regulation (GDPR), a law that required a breach to be reported to an European agency within 72 hours. In its home base country of America, it is also confronted by a more aggressive supervision from the United States (US) Congress.

Even as Facebook has been seen to be upfront and open to its users on the problems presented by this latest security attack with updates on the situation via its official Twitter page and website, it continues to face immense criticism from tech experts, users and governments. CEO Mark Zuckerberg looks set to be facing a most challenging few weeks ahead.