On September 28, 2018 Facebook made a press release regarding the breach in security which affected 50 million of its users.
The attack took place through the “View as” option that Facebook uses to allow users to see what their profile looks like to other users. The attackers exploited that feature to steal user access tokens. These tokens allow users to maintain being logged in and not have to enter their password every time Facebook is accessed. The attackers could then utilize these tokens to access user accounts.
Facebook has responded by saying they have taken actions to fix the vulnerability, inform the appropriate law enforcement agencies, and reset the access tokens for all 50 million users that they believe were affected.
This is all the information we have from Facebook at this time. They claim they are in the early stages of their investigation so we assume more news will come as it concludes.
The full press release from Facebook can be found on their website at the following link: https://newsroom.fb.com/news/2018/09/security-update/