On September 28, 2018, facebook acknowledged that a security issue was discovered on September 25th. This security issue affects almost 50 million accounts. https://newsroom.fb.com/news/2018/09/security-update/
--Quote from facebook announcement: Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Maybe it is coincidence, Chang Chi-yuan posted a live video announcement https://www.facebook.com/robots.tx/videos/1198079323673283/ on September 26th that he will broadcast a tempt to delete Mark Zuckerberg's Facebook page. He withdraw from the pledge on 28th nothing that facebook acknowledged to be able to reproduce his bug report.
I am not sure the time on facebook post is local time or the facebook server time. September 26th in Asia time zone can be September 25th in Pacific time zone so it is possible facebook discovered the security issue based on Chang Chi-yuan's report.
Two scenarios that are possible. One is that Chang Chi-yuan was trying to exploit the bug and during the process he was able to get the access token of 50M accounts. One is that someone else hacked and the bug has nothing to do with what Chang Chi-yuan found.
Facebook is still in its early stages of the investigation so we will see.
Tags: facebook hack Chang Chi-yuan