Facebook this week informed users that it has partially restored a privacy feature abused by hackers last year as part of an attack that impacted 29 million accounts.
The social media giant informed customers in late September 2018 that hackers had exploited a series of vulnerabilities to steal tokens that could be used to access 50 million Facebook accounts. The company later told users that the attack, reportedly launched by spammers who wanted to make a profit through deceptive advertising, actually impacted only 29 million accounts.
According to Facebook, for 15 million of the affected users, the hackers accessed names, phone numbers and email addresses. For the remaining 14 million, they also accessed gender, hometown, date of birth, religion, and information on the places they had checked into.
In response to the breach, Facebook invalidated access tokens for nearly 90 million accounts and launched a tool that told users whether or not their account was impacted.
The attack involved three distinct flaws affecting the “View As” feature and a version of Facebook’s video uploader interface introduced in July 2017.
“View As” is a privacy feature that shows users how others, including specific friends or users they are not friends with (View As Public), see their profile. The feature is designed to help users ensure that they only share information with the intended audience.
Facebook disabled the “View As” feature following the massive breach, but it has partially re-enabled it this week. In an update to its initial blog post and on Twitter, the company said it restored the “View As Public” feature after completing its security review and determining that it was not involved in the incident.
The “View As Specific Person” feature remains disabled. However, Facebook says the “View As Public” version was much more popular. Facebook is likely restoring the feature gradually as it’s still not available to all users.
Related: Industry Reactions to Facebook Hack