Yesterday, Facebook released information about a hack affecting about 90 million users. 40 million of them as a precautionary measure, the access tokens of these users have been reset. There are still around 50 million users who are directly affected, and attackers probably had complete access to their accounts.
Facebook was yesterday at the beginning of the investigation but now shares more details. According to this, the access tokens could not only access the Facebook profile directly but also all services for which you have registered via Facebook. Fortunately in bad luck, however – You do not have to change your password, because this is not visible on the access tokens. So also means that you are relatively safe, if so far no damage caused by the access, the tokens cannot be used.
So if you have connected Instagram or Oculus to Facebook, you have to do it again, but at the same time, it means that the attackers had access to such services. The login with Facebook we offered in numerous services and actually such a login is also considered safe, because no passwords are passed. Stupid then only if the tokens get lost and it is not noticed.
Meanwhile, Facebook has also published technical details of the attack. It was the combination of several bugs that made it possible to pick up the tokens.