Facebook — Data Breach
Executive Summary
Attackers exploited a vulnerability in the 'View As' feature to steal access tokens from nearly 50 million accounts, with an additional 40 million reset as precaution. The breach ultimately affected 30 million users, with 14 million having sensitive personal details exposed. This was Facebook's largest confirmed hack.
What Happened
On September 25, 2018, Facebook discovered that attackers had exploited a vulnerability in the 'View As' feature that was introduced in July 2017. The vulnerability allowed attackers to steal access tokens, which are digital keys that keep users logged into Facebook without re-entering passwords. Facebook fixed the vulnerability, informed law enforcement, and reset access tokens for approximately 50 million confirmed affected accounts plus an additional 40 million accounts as a precautionary measure.
Who Is Affected
Approximately 90 million Facebook users were affected and required to log back into their accounts. Facebook later confirmed that 30 million users were ultimately impacted, with 14 million of those having sensitive personal details like name, gender, and hometowns exposed through developer APIs. Users of Facebook Messenger were also logged out during the access token reset.
Why It Matters
This was Facebook's largest confirmed hack and occurred during an already difficult year following the Cambridge Analytica scandal. The breach demonstrated how a vulnerability introduced through a feature update can remain undetected for over a year, from July 2017 until September 2018. The scale of the incident, affecting tens of millions of users, raised significant concerns about Facebook's ability to protect user data and maintain user trust.
What You Should Do
Affected users were automatically logged out and needed to log back into Facebook and any apps using Facebook Login. Users should look for a notification at the top of their News Feed explaining what happened. Facebook stated that changing passwords is not necessary because access tokens do not store passwords, though users should remain vigilant for any unusual account activity.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources