Facebook "View As" access token breach affects 50 million accounts (September 2018)
Primary Source ↗Incident Details
On the afternoon of September 25, 2018, Facebook’s engineering team discovered an active attack exploiting a critical vulnerability in the platform’s “View As” feature — a privacy tool that lets users preview how their own profile appears to someone else. Facebook disclosed the breach publicly on September 28, 2018.
The attack exploited a chain of three distinct software bugs that interacted to allow access token theft at scale:
- The “View As” feature incorrectly rendered a birthday video post composer — a content type that should not appear in a read-only privacy preview context.
- A July 2017 update to the video uploader contained a bug causing it to generate an OAuth access token with full Facebook mobile app permissions even when triggered from a web context where no token should be issued.
- When token generation was triggered inside “View As,” the resulting token was issued for the profile being viewed, not the person running the preview — effectively handing the attacker a valid authentication credential for the victim’s account.
The harvested access tokens functioned as persistent login keys, allowing attackers to authenticate as victims without knowing passwords or triggering password-based security controls. Because Facebook Login (OAuth single sign-on) is integrated into thousands of third-party apps and websites — including Tinder, Spotify, Instagram, and many others — the stolen tokens potentially extended attacker reach into those connected services as well.
Facebook reset access tokens for all 50 million directly affected accounts and, as a precautionary measure, reset tokens for a further 40 million accounts that had used “View As” in the preceding year, forcing approximately 90 million users to log back in. The “View As” feature was temporarily disabled pending a full security review.
Subsequent forensic investigation narrowed actual token theft to approximately 30 million accounts. Of those, roughly 15 million had name and contact details (phone number or email) accessed; approximately 14 million also had richer profile data accessed including username, gender, locale, relationship status, religion, hometown, current city, birthdate, device types, education, work history, and recent search activity; about 1 million had tokens stolen but no profile data accessed.
In December 2024 the Irish Data Protection Commission — Facebook’s lead EU supervisory authority under GDPR — fined Meta €251 million (approximately £210 million) for inadequate technical safeguards, concluding that roughly 3 million EU users were among those affected. The breach was among the largest OAuth/SSO platform incidents on record and illustrated the systemic downstream risk created when a single identity provider is compromised across thousands of relying-party applications.
Technical Details
- Initial Attack Vector
- Exploitation of a chain of three software bugs in the Facebook "View As" privacy feature — the interaction of a misconfigured birthday video composer, a flawed video uploader that incorrectly generated access tokens with mobile app permissions, and a logic error that generated tokens for the viewed user rather than the viewer allowed attackers to harvest OAuth access tokens for approximately 50 million accounts without knowing account passwords
- Vendor / Product
- Facebook Login / Facebook platform
- Supply Chain Attack
- ✅ Confirmed third-party / vendor compromise
Timeline
- 2018-09-25 Breach occurred
- 2018-09-28 Publicly disclosed
- 2018-09-28 Customers notified