Last week, as many as 90 million Facebook users were forced to re-login to their accounts after the social media network admitted it was hacked. Facebook said nearly 50 million of its users were directly affected by hackers stealing access tokens after exploiting Facebook’s code, the other 40 million forced logins were a “precautionary” step.
The buggy code had been around since July 2017, but Facebook didn’t realize attackers were exploiting the vulnerability — the result of three separate bugs — through the “View As” option until this week. The flaw allowed hackers “to steal Facebook access tokens which they could then use to take over people’s accounts.”
Facebook fixed the vulnerability, temporarily disabled the View As feature and contacted law enforcement.