30 million Facebook users' accounts breached


30 million users had their accounts breached, with a total of 90 million accounts reset after Facebook's "view as" feature leaked unique user account access tokens, allowing attackers to not only trivially impersonate any other user on the platform, but also to potentially automate the attack on a massive scale using their API.

This is of particular concern where these access tokens were used as a "Single Sign On" for third-party services who authenticate against Facebook.  The attack was only spotted due to a surge in "view as" feature usage.


Note: a first estimate by Facebook initally mentionned 50 million users before reducing this number to 30 million. https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/

Author: Lorenzo Franceschi-Bicchierai, Sean Gallagher

Related learning resources
Target Profile