The first bug prompted Facebook's video upload tool to mistakenly show up on the "View As" page. The second one caused the uploader to generate an access token—what allows you to remain logged into your Facebook account on a device, without having to sign in every time you visit—that had the same sign-in permissions as the Facebook mobile app. Finally, when the video uploader did appear in "View As" mode, it triggered an access code for whoever the hacker was searching for.
“This is a complex interaction of multiple bugs,” Rosen said, adding that the hackers likely required some level of sophistication.
That also explains Friday morning's logouts; they served to reset the access tokens of both those directly affected and any additional accounts “that have been subject to a View As look-up” in the last year, Rosen said. Facebook has temporarily turned off "View As," as it continues to investigate the issue.