When Did it Happen?

A security issue was discovered by the Facebook engineering team this week, Tuesday, September 25.  To Facebook’s credit, it promptly reported the issue, patched up the vulnerability, and disabled the “View As” while they continue to investigate the matter.

How Did It Happened?

According to Facebook’s security update, there was a security vulnerability in Facebook’s “View As” feature that allowed hackers that steal access tokens.  The access tokens essentially allow the hackers to login as other users.

“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

How Many People Are Affected?

Up to almost 50 millions accounts are known to have affected by this security vulnerability.  There may be another “40 million accounts that have been subject to a “View As” look-up in the last year”.

If you have a Facebook account, you are likely impacted.

What Has Been Compromised?

It’s not entirely clear what data has been compromised.  However, if a hacker had your access token, they have access to your account (as you) and presumably could have access to all your facebook data.

What Do You Need to Do?

Technically, you don’t need to do anything, since Facebook had reset the access tokens.  You might be prompted to log back into your account again.

Reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.”

However, I’d recommend securing your account further by:

  1. Updating your password.  Make sure your password should not be the same as other online accounts.
  2. Enabling your two-factor authentication:  Settings -> Security and Login -> Set up “Two Factor Authentication”.


It is disappointing that there is another major hack. In a increasingly connected world, it is yet another reminder to set strong and different passwords for your online accounts.

If you had never enable two-factor authentication, this might be another push to consider adding another level of security to your online accounts.  At a minimum, you should have two-factor authentication enabled for all sensitive financial accounts.

Meanwhile, while it seemed that everyone I know has a LinkedIn account, I might consider holding off on getting one myself.

I really don’t need more of my personal data to (potentially) be exposed online.