Facebook published a post in its newsroom today with the anodyne headline “Security Update.” But the post reveals a massive security breach which exposed the personal data of at least 50 million users. The discovery that the site had been breached by parties yet unknown was made Tuesday:

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts…

We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security…

Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.

Facebook CEO Mark Zuckerburg posted a statement on his personal Facebook account repeating some of the same information but adding that Facebook is constantly under attack:

We face constant attacks from people who want to take over accounts or steal information around the world. While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.

I guess it’s good that Facebook is being somewhat upfront about this. They obviously didn’t want to tip their hand before a patch was ready and that probably didn’t happen immediately. Honestly, if they’d wanted to completely bury this they could have announced it anytime yesterday. No one was paying attention to anything but Kavanaugh.

But the real question here isn’t whether they got hacked it’s who hacked them and why. There are lots of questions still to be answered. Were these state actors or profiteers (or both)? Did they actually steal a bunch of data or were they just poking around certain accounts? If the former, what are they going to do for people who had data stolen? If the latter, which ones and why?

Facebook promises to provide updates but I wonder how much detail we’ll get from this point out.