You know those emails Facebook sends you with a direct link to your account? Imagine 1.3 million of those links becoming available online, and you understand the massive security loophole that Facebook says it plugged yesterday, BBC reports. How the links ended up online isn't clear, but a message posted on Hacker News included a search string that brought them all up on Google. And some of them didn't require a password to enter the account.
Many of the links connected to throwaway mail sites or services that protected their email archives poorly—which would explain how they ended up online, says Facebook engineer Matt Jones. "Regardless ... we've turned the feature off until we can better ensure its security," he wrote. Just last week, a Bulgarian blogger said he bought info on 1.1 million Facebook users online for just $5—but a Facebook rep says that incident seems unrelated to the latest breach, the New York Times reports. (More Facebook stories.)