Someone is claiming that due to exposing their Facebook App Secret on an app that was never deployed live, only locally in development, their Facebook account that they used to generate the Facebook App ID and Secret was hacked and they have lost access to it. I'm perplexed by this claim. As far as I know, the App Secret at most could allow getting access tokens which could be used to make API calls on behalf of the app. If the app itself is not even deployed in production, is even that possible?
But my main question is, is there really a way that someone could hack into a Facebook account from an App Secret generated by that account? Facebook itself makes no mention of this: https://developers.facebook.com/docs/facebook-login/security/#appsecret
You can (if it is still possible) change App Settings with an App Secret (in combination with an App ID as an App Token), but no, you cannot hack a Facebook account with it.