As we shared on Tuesday, we analyzed our logs for all third-party apps installed or logged into during the attack we announced on Friday. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login. Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their people's access tokens — were automatically protected when we reset people's access tokens. However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we are releasing a tool to enable developers to manually identify the people using their apps who may have been affected, so that they can log them out.
The tool allows developers of third party apps to securely download a hashed list of the people using their app who may have been affected by the vulnerability. This process allows us to provide developers with the data they need to assess the impact to their users and take the necessary remediation steps.
This tool will appear for developers who have users that may have been impacted by the security issue. Developers will be alerted to the availability of this tool in their app dashboard. If a developer does not receive an alert in their dashboard, that means they did not have any impacted users. You can read more about how the tool works here.