Facebook didn’t believe the breach needed to be reported under Australia’s mandatory breach notification law. The company discovered three separate bugs affecting a feature called “View As” that allows people to view their profile as it appears publicly. The attack started on Sept. 14, 2018, and ran for two weeks. Facebook invalidated the access tokens for 50 million accounts and 40 million others as a precaution. The emails between Facebook and Australia’s regulator – the Office of the Australian Information Commissioner – and company officials – were released March 11.”]
Source: https://www.bankinfosecurity.com/facebooks-early-misguided-call-on-breach-disclosure-a-12265