14 DAY TRIAL // Until now, there was no mention of other applications or platforms being affected by the Facebook chain of vulnerabilities which allowed attackers to compromise 50 million accounts.
However, Guy Rosen, Facebook's VP of Product Management, did speak about third-party apps which use the Facebook login feature as being affected according to a public September 28 press call transcript (PDF).
Attackers who exploited a bug in the "View As" profile feature which helps users see their profile as other users would see them, were able to steal 50 million Facebook access tokens. Facebook also said that 40 million more accounts which have used the "View As" feature during the last year would be reset.
The security issue in the "View As" feature was introduced via a video uploading code change from July 2017 and Facebook found the bug on Tuesday, September 25, publicly announcing the issue on September 28.
As Rosen told the press in a press call, the Irish Data Protection Commission was notified about the breach to comply with Facebook's GDPR (General Data Protection Regulation ) obligations.
Third party apps which use Facebook login are now automatically protected by Facebook resetting the stolen access tokens
Facebook is also working with other law enforcement agencies during the investigation of this hacking incident, but they have denied giving any names besides the FBI and the Irish Data Protection Commission.
Furthermore, as stated by Rosen during the press call, although the chain of vulnerabilities used by the attackers to breach 50 million accounts only affected Facebook, the access tokens stolen in the breach could have been used to control third-party apps which featured Facebook login.
"The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were account -- the account holder themselves," said Rosen. "This does mean they could have accessed other third-party apps that were using Facebook login."
However, given that Facebook reset the access tokens for all 50 million accounts compromised and for 40 million other accounts which might have also been breached, users of third-party apps with Facebook login support are now protected, and they will have to log in again to use the affected apps.
The most important question right now is what the attackers were able to do after discovering the exploitable chain of vulnerabilities and breaching tens of millions of Facebook accounts.
What data were they able to collect until Facebook found the security bug? Where they able to also get their hands on those two-factor authentication phone numbers Facebook used for ad-targeting?
No one knows, but we will find out pretty soon after the ongoing investigation ends and the law enforcement agencies will publish their report on the hacking incident.