On September 25, Facebook announced on the official blog that the Facebook engineering team found out a security hack that’s effected around 50 million accounts worldwide. It pointed out that this attack uses the vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else.

According to the announcement, the attackers succeeded in taking Facebook access tokens which they could then use to take over people’s accounts. As a result, Facebook carry out massive investigation to identify what exactly happened and took some effective actions to solve this security issue, such as:

1. The Facebook engineering team has fixed the vulnerability and informed law enforcement.
2. Resetting the access tokens of the almost 50 million accounts.
3. Facebook is also temporarily turning off the “View As” feature while they conduct a thorough security review.
4. Facebook is creating a new tool to allow developers to manually explore the users of their apps who may have been affected, in order to can log them out. Facebook spokesperson Katy Dormer said the company was “working on the tool now” but didn’t have a release date.

Now, after a deep investigation, Facebook managed to reach accurate details and information about the security breach. It says that its security team knows that fewer people were impacted than they originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen. Otherwise, in the same announcement, Facebook explains how this Security Breach happened.

As said by Facebook:

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.

The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.”

On the other hand, Facebook mentioned that this breach did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts