The Privacy Commissioner for Personal Data has launched a compliance check on Facebook following the security incident that has left at least 50 million accounts exposed to compromise.
Facebook revealed last month that a series of vulnerabilities in its View As feature, which allows Facebook users to view their profile as it would be seen by a specific user, had left the accounts vulnerable to attack.
The first of these vulnerabilities was misconfigured composer that incorrectly allowed users to post a video on the account they were using the View As feature to view their own profiles.
This bug could be exploited to take advantage of an unrelated bug in a new version of Facebook's video uploader that generated an access token with the permissions of the Facebook mobile app, and the third bug ensured that this access token was generated not for the user, but for the account the user was looking up.
Facebook has announced it has fixed the vulnerability and is cooperating with law enforcement into an investigation into the incident.
But the PCPD is conducting its own investigation, and has contacted Facebook to express concern over the incident given the likelihood that Hong Kong account holders were affected.
Privacy commissioner Stephen Kai-yi Wong said Facebook has advised his office that there is so far no evidence that attackers accessed any apps using Facebook login, and that there is no reason for users to change their passwords over the incident.