Updated: Apr 13, 2020
Facebook had a flaw in security with its “View As” feature – over 50 million accounts were affected.
Facebook stated it was because of a compromise in third party apps. However, this statement was retracted, claiming that the attackers did not use the tokens in third-party apps.
They believed that bugs might have allowed the use of swiped tokens to access accounts from third-party apps. For example, if a site offered a “log in with Facebook ” feature.
This could have been a big problem since there are reportedly over 40,000 third-party apps found on Facebook according to research by a team led by Jason Polakis from the University of Illinois, Chicago.
This concern, however, has now been debunked because the social network reportedly logged all the 90 million hacked accounts out to invalidate the tokens.
In fact, the Vice President, Guy Rosen, posted an update on Facebook claiming that it did not happen.
In his post, he stated, “We have now analysed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login”.
Furthermore, he also emphasized that third-party app developers are protected through either: (1) Facebook’s or; (2) they frequently checked the validity of the user access tokens.
Facebook is developing a tool to help them identify the affected users of their apps manually to log them out immediately.
Former CISO Alex Stamos, however, doubted the warning about the possible breach of third-party apps and speculated that it is a response to the GDPR’s 72-hour disclosure rules tweeting, “Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete. 1) Announce & cop to max possible impacted users. 2) Everybody is confused about the actual impact, lots of rumours. 3) A month later truth is included in the official filing”