Digital Marketing News

Facebook Exonerates Third-Party Apps from The Last Security Breach

Facebook unveiled on its official blog their constant efforts to solve the last Security Breach. Last week, they announced that their engineering team has fixed the vulnerability and reset the access tokens -which are the digital keys that allow users to remain logged in without having to enter their password every time they access their account- for a total of 90 million accounts, 50 million that had access tokens stolen and 40 million that were subject to a “View As” look-up in the last year.

Last week, specifically in the afternoon of Tuesday, September 25, Facebook announced in an official blog post that the Facebook engineering team found a security hack that’s affecting at least 50 million accounts worldwide. Facebook clarified that this attack uses the vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. Accordingly, those attackers succeeded in stealing Facebook access tokens which they could then use to take over people’s accounts.

Since then, Facebook took effective actions to protect the security of users’ accounts and investigate what happened, such as:

  1. First, the Facebook engineering team has fixed the vulnerability and informed law enforcement.
  2. Second, they have reset the access tokens of the almost 50 million accounts. Accordingly, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. Additionally, people will get a notification at the top of their News Feed explaining what happened.
  3. Third, they’re temporarily turning off the “View As” feature while we conduct a thorough security review.
  4. Facebook also has analyzed its logs for all third-party partners installed or logged in during the Security Breach last week.
  5. Facebook is creating a new tool to allow developers to manually explore the users of their apps who may have been affected, in order to log them out. Facebook spokesperson Katy Dormer said the company was “working on the tool now” but didn’t have a release date.

Facebook Exonerates Third-Party Apps from The Last Security Breach 1 | Digital Marketing Community


In the same announcement, Facebook mentions that during their investigation to find what exactly this attack means for the apps using the Facebook Login, they couldn’t find any evidence that the attackers accessed any apps using Facebook Login. Facebook also recommends some impactful Facebook Login security best practices for developers, which are:

  • Use our official Facebook SDKs for Android, iOS and JavaScript — these will automatically check the validity of access tokens on a daily basis and force a fresh login when they are reset by Facebook, protecting the security of users’ accounts.
  • Use the Graph API to keep information updated regularly and always log users out of apps where error codes show that any Facebook session is invalid.
  • Subscribe for our newsletter!