50 million Facebook users affected by vulnerability

On the afternoon of Tuesday, September 25, 2018, Facebook's engineering team discovered a security issue affecting almost 50 million accounts.

Attackers exploited a vulnerability in Facebook that impacted “View As” feature, that lets people see what their own profile looks like to someone else. Thus, they managed to steal access tokens to the platform that, later, they would use to obtain access to the mentioned accounts, as reported by the company.

The organization, after fixing the vulnerability and informing law enforcement, has reset the access tokens of the 50 million affected accounts, and another 40 million that could have been affected by precaution, which will force users to log back in. By doing so, they will receive a notification informing them of this incident.

Update 03/10/2018: Facebook researchers, after reviewing the logs of all third-party applications that use Facebook Login, have so far found no evidence that the attackers accessed any of these apps using this system. In addition, they report that they are working on a tool that allows developers who do not use official SDKs, to manually identify affected users in order to disconnect them.

Update 15/10/2018: Facebook has discovered that 50 million accounts were not affected as initially thought, but about 30, of which the first 15 million obtained name information and contact details (phone number and email). In addition, the data of another 14 million were equally affected along with additional data such as username, gender, location, language, relationship status, religion, hometown, current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, web, people or pages followed and the 15 most recent searches. Finally, for the remaining one million accounts, the attackers did not access any information. Users can verify if they have been affected from the Facebook help center, likewise in the coming days, the social network will notify stakeholders about this incident.