The tokens for those 50 million users, plus an additional 40 million, were reset as a precaution.
In a security update, Facebook said its investigation found that unknown hackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The flaw that allowed the attackers to get in involved Facebook's "View As" feature, which allows users to see what their profile looks like to other members.
The interaction of three different software bugs allowed the hackers to steal access tokens, in effect allowing them to access the corresponding accounts. The tokens work like digital keys that keep users logged in to Facebook so they don't have to repeatedly enter their username and passwords.
Spike in activity
In the security update, Facebook reported that the attack was revealed when engineers saw an unusual spike in activity that started on September 14.
"On September 25, we determined this was actually an attack and identified the vulnerability," the company said. "Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed."
As a precaution, Facebook turned off “View As” and said it is working with the FBI to determine the parties that might be responsible for the attack.
While fewer Facebook users were affected than first reported, Facebook has revealed the extent of compromised information was greater for some than for others.
Attackers accessed two sets of information on about 15 million users. It included name and contact details such as email and phone number.
For another 14 million users, the attackers accessed additional information that was included in their profiles, such as username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in.
For 1 million users, Facebook has determined that the attackers did not access any information. Facebook users concerned about this breach can determine whether they were affected by visiting the Facebook help center.
Facebook's update follows criticism from Ireland's Data Protection Commission (DPC), which enforces privacy regulations for the European Union (EU). At the time, the agency complained that Facebook's initial disclosure of the breach was light on details.