On the afternoon of September 25, 2018, Facebook’s engineering team discovered an active attack exploiting a critical vulnerability in the platform’s “View As” feature — a privacy tool that lets users preview how their own profile appears to someone else. Facebook disclosed the breach publicly on September 28, 2018.

The attack exploited a chain of three distinct software bugs that interacted to allow access token theft at scale:

1. The “View As” feature incorrectly rendered a birthday video post composer — a content type that should not appear in a read-only privacy preview context.
2. A July 2017 update to the video uploader contained a bug causing it to generate an OAuth access token with full Facebook mobile app permissions even when triggered from a web context where no token should be issued.
3. When token generation was triggered inside “View As,” the resulting token was issued for the profile being viewed, not the person running the preview — effectively handing the attacker a valid authentication credential for the victim’s account.

The harvested access tokens functioned as persistent login keys, allowing attackers to authenticate as victims without knowing passwords or triggering password-based security controls. Because Facebook Login (OAuth single sign-on) is integrated into thousands of third-party apps and websites — including Tinder, Spotify, Instagram, and many others — the stolen tokens potentially extended attacker reach into those connected services as well.

Facebook reset access tokens for all 50 million directly affected accounts and, as a precautionary measure, reset tokens for a further 40 million accounts that had used “View As” in the preceding year, forcing approximately 90 million users to log back in. The “View As” feature was temporarily disabled pending a full security review.

Subsequent forensic investigation narrowed actual token theft to approximately 30 million accounts. Of those, roughly 15 million had name and contact details (phone number or email) accessed; approximately 14 million also had richer profile data accessed including username, gender, locale, relationship status, religion, hometown, current city, birthdate, device types, education, work history, and recent search activity; about 1 million had tokens stolen but no profile data accessed.

In December 2024 the Irish Data Protection Commission — Facebook’s lead EU supervisory authority under GDPR — fined Meta €251 million (approximately £210 million) for inadequate technical safeguards, concluding that roughly 3 million EU users were among those affected. The breach was among the largest OAuth/SSO platform incidents on record and illustrated the systemic downstream risk created when a single identity provider is compromised across thousands of relying-party applications.