In 2011 it signed a consent decree with U.S. consumer protection agency the Federal Trade Commission (FTC) settling charges that it deceived consumers by telling them they could keep their information on Facebook private, and then allowing it to be shared and made public.
How did Facebook get to know about the hack? "This does mean they could access other third-party apps using Facebook login", Guy Rosen, Facebook's vice president of product, said. According to the statement from CEO Mark Zuckerburg, the Facebook team identified the issue on Tuesday and got it fixed by Thursday night.
Facebook said there is no need for users to change their passwords.
The social network had about 270 million users in India at end of July, according to Statista website. The "View As" feature has been temporarily suspended as the investigation by Facebook into the hack continues.
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they do not need to re-enter their password every time they use the app. The DPC acknowledged Facebook did inform them of the breach but said that the report lacked "detail".
The news comes just days after a hacker said he was going to delete Zuckerberg's Facebook page on Sunday. As a security measure, Facebook forced over 90 million users to log out. Through this vulnerability, they were able to generate keys, access and dump tokens, and sign into user profiles without a password. It would be disingenuous to pretend that the concerns driving the backlash against Facebook are totally bipartisan, but the network has tread well into risky territory - and if it turns out attackers gained access to and misused sensitive user data, it could get much worse, quickly. Facebook is also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the previous year.
Follow Fin24 on Twitter, Facebook, Google+ and Pinterest.24.com encourages commentary submitted via MyNews24. There you will see a hyperlinked text saying "Where you're logged in". You can see devices as well as their current location, and in case you see any unknown locations or devices, you can simply click on the remove button.
If you have not set up two-factor authentication for Facebook, then it is time to do so.
The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2 per cent of world-wide revenue.
The best way to secure your account is to enable the two-factor authentication system.
Experts said to check where you're logged in on a regular basis. Whenever you try to login, you have to enter a code which is sent to your number or email.
The views expressed by the writer and the reader comments do not necessarily reflect the views and policies of The Express Tribune.