In a conference call with reporters on Friday, Facebook CEO Mark Zuckerberg and company officials said the breach affected members who used the "View As" feature that lets them see how their Facebook profile looks to others, including non-friends.
The hackers were also given complete access (as if they were you, effectively), and so could have accessed any part of your accounts.
On the blog post, Guy Rosen, VP of Product Management, stated that the company has reset the access tokens of the nearly 50 million accounts which were affected to protect their security.
According to Facebook, the hackers exploited three bugs in this feature, using its weaknesses to breach the privacy of accounts.
Facebook's preliminary analysis of the flaw suggests it was opened during changes made to the site's video upload system in July 2017, generating access tokens as the user being targeted by the "View As" system rather than the actual logged-in user and making them available in the HTML source of the page.
If you were one among the affected accounts (or suspected accounts), Facebook has already logged you out. But the benefit comes at a cost, all these platforms will share the same access credentials.
The company stated that this means that if you were affected by the hack, you'll notice that you have been automatically logged out of your Facebook account, as well as any other apps that use Facebook to login. Preliminary investigation show these tokens were used to access posts, private messages or let the hackers post anything on the accounts. So I guess there is no need to freak out, Facebook has got everything under its control now.
Identifying that overlap could allow the companies to examine if affected Facebook users' data was also compromised on their platforms.
Ireland's Data Protection Commission, which is Facebook's lead privacy regulator in Europe, said Saturday that it has demanded more information from the company about the nature and scale of the breach, including which European Union residents might be affected. It does not matter even if you have a two-factor authentication where you have to enter the OTP sent to your mobile to login to Facebook.
"We can not say with absolute surety what went wrong until Facebook shares more information", said Prakash.
News broke early this year that a Trump-linked data analytics firm, Cambridge Analytica, had gained access to personal data from millions of user profiles.
It remains to be seen whether the fine will be levied on Facebook or not.
How did Facebook get to know about the hack? You can also try deactivating your account for some time, as reactivating it will also grant new access tokens, while old tokens will automatically expire. Zuckerberg has tried mightily to assure consumers and lawmakers that the site is doing everything in its power to protect personal information while tamping down on foreign meddling during elections.