An important update about Facebook's recent security incident
You can visit this page again by searching for "security incident" in the Help Center, or by bookmarking https://www.facebook.com/help/securitynotice
We previously announced a security incident on Facebook and want to provide an update on our investigation. We have now determined that attackers used access tokens to gain unauthorized access to account information from approximately 30 million Facebook accounts. We're very sorry this happened. Your privacy is incredibly important to us, and we want to update you on what we've learned from our ongoing investigation, including which Facebook accounts are impacted, what information was accessed and what Facebook users can do about this.
What is the status of Facebook's investigation and what was learned?
- On September 25, 2018, we discovered that attackers had exploited a vulnerability caused by the complex interaction of three bugs in our system to obtain access tokens. Tokens can be used, like a digital key, to request certain information through our platform. We acted quickly to secure the site and began an investigation to determine if anyone's Facebook information was accessed and how many users were impacted.
- To protect our users while we conducted an investigation, we invalidated the access tokens of almost 90 million accounts that were potentially impacted by the vulnerability. There's no need for anyone to change their passwords, and if you're still having trouble logging back into your account, learn what you can do.
- Starting September 28, we notified users who were logged out, explained why we did this and shared what we knew about the attack at that time. You can read more about this incident and our initial response. When we shared this initial response, we were still investigating and didn't yet know if anyone's Facebook information was accessed.
- We have now determined that between September 14 and 27, the attackers used the access tokens to get certain Facebook account information from our platform. These access tokens have been since invalidated, which prevents any further access to Facebook account information. Learn more about how this attack took place.
Our investigation is still ongoing, and if we have more information to share, we'll let you know.