https://newsroom.fb.com/news/2018/09/security-update/
Attackers used an exploit found within the “view as” function that Facebook allows. The exploit allows for the attackers to steal the access tokens. Facebook has responded by fixing the exploit, contacting law enforcement, logging out the affected users and any users subjected to a “view as” look up within the past year, and Facebook has turned off the “view as” feature. Facebook is still in the early stages of the investigation and hopefully more details about the attack will follow.
TJJohnson Learning Security 