Facebook restores disabled ‘View As’ feature used in 2018 breach

Facebook is reviving a version of a privacy feature that it disabled last year after hackers exploited it to steal users’ access tokens – the keys that allow users to stay logged into Facebook without having to re-enter their password every time they use the app.

The stolen access tokens granted attackers access to all of the affected users’ data, including anything you can see, read, download or change when you log in to Facebook.

Facebook discovered the breach in September.

Initially, the company thought that 50 million accounts had been affected, and it reset another 40 million as a precautionary step. In October, it downgraded the number to about 30 million accounts – still a huge number of users whose phone numbers, emails and other information were compromised.

On Tuesday, Facebook updated its initial blog post about the breach to say that it’s completed a security review and is re-enabling a version of the “View As” feature that hadn’t been affected by the security incident.

The cruel irony of the data breach was that the whole idea of “View As” was to help people improve their privacy and security by allowing them to see how they look to the outside world.

The “View As Public” feature lets people see what their profile looks like to people they aren’t friends with on Facebook. Not only was the restored version unaffected by the breach, but this version was also “significantly more popular” than Facebook’s “View as Specific Person” feature, Facebook says.

The company is also adding an “edit public details” button to make it easier for users to find settings that allow them to control the profile information that the public can see.