What happened on Facebook?

On the afternoon of Tuesday 25 September, Facebook's engineering team discovered a security issue. The team fixed the vulnerability and took the precautionary step of resetting the access tokens of anyone who might have been affected.

Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app.

What does this mean for Workplace?

For most Workplace accounts, nothing. Workplace is set up differently to Facebook, and most accounts don't use the access tokens that could have been affected by this vulnerability.

However, during the beta phase of Workplace, prior to the summer of 2016, Workplace included a feature that allowed people to link their personal Facebook and Workplace accounts. Linked accounts from this period could have been affected by this issue.

All of those accounts were protected when we reset affected access tokens last week.

If you joined Workplace after summer 2016, your Workplace account was not affected.

If you joined before summer 2016 and chose to link your accounts, but then enabled single sign-on, your Workplace account was not affected.

If you joined before summer 2016, linked your personal Facebook and Workplace accounts, have not enabled single sign-on and had your access tokens reset in connection with this issue, it is possible that your Workplace account could also have been affected, but it has now been protected.

No further action needs to be taken by Workplace customers.

Your security remains our top priority, which is why our compliance certificates include ISO 27001, SOC2, SOC3 and the EU/US Privacy Shield.

For the latest information, view the official Facebook Newsroom post. If you're a customer with more questions, please contact our Customer Support team.