Facebook has announced that it found no evidence that attackers had used stolen account access tokens on other websites or apps that enable users to access their accounts using Facebook Login.
This comes on the heels of the social network’s disclosure on Friday, September 28, of a breach in which miscreants lifted access tokens for the accounts of at least 50 million users by leveraging a vulnerability in Facebook's ‘View As’ feature. In response, Facebook revoked the tokens not only on those accounts, but it also logged out another 40 million people whose accounts had been identified as being at risk. A great deal of the concerns over the incident stemmed from the risk that the pilfered tokens could open the doors not only to the users’ Facebook accounts, but also to their accounts with numerous other sites that use Facebook’s single sign-on.
“We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login,” reads the social network’s security update on Tuesday evening.
According to researchers with the University of Illinois at Chicago, no fewer than 42,000 sites use Facebook Login, which helps reveal the potential outsized implications of the breach. This includes behemoths in their respective spheres, such as Spotify, Tinder, AirBnb, and Facebook’s own Instagram. Tinder, for one, has said in a statement, relayed by Axios, that it had found "no evidence to suggest accounts have been accessed based on the limited information Facebook has provided".
In its latest update, Facebook also said that site developers who use Facebook’s official software development kits or regularly check the status of the users’ access tokens “were automatically protected when we reset people’s access tokens”. In the instances when developers don’t use Facebook’s devkits, the social network is building a tool to enable them to “manually identify the users of their apps who may have been affected, so that they can log them out”.
UPDATE Facebook data breach - @DPCIreland understands that the number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach. DPC Ireland statement beneath. #dataprotection #GDPR #EUdataP pic.twitter.com/oSfGy6DP2S
— Data Protection Commission Ireland (@DPCIreland) October 1, 2018
Meanwhile, Politico reports that Facebook is set to face an official probe – and potential hefty penalties – as a result of the EU’s General Data Protection Regulation (GDPR), which gives EU citizens powerful rights when it comes to protection of their personal data. The enquiry would focus on whether Facebook “mishandled people’s data in a way that led to a hacker being able to access the online profiles of millions of Facebook users”, according to the site.
The investigation would be undertaken by Ireland’s Data Protection Commission (DPC), which is the privacy regulator overseeing Facebook in the EU. DPC tweeted on Monday that fewer than ten percent of the 50 million people affected by the incident live in the EU. Facebook has 370 million monthly active users in Europe.
Facebook said that it is “working with regulators including the Irish Data Protection Commission to share preliminary data about Friday's security issue”, and that it plans to release more details soon about the location of those potentially affected. The company is already facing a class-action lawsuit in California over the breach.
With Facebook’s own investigation into the breach still under way, you’re well-advised to exercise extra caution with respect to your Facebook account or, indeed, any other online service linked to it. That holds true even if you weren’t one of the breach’s victims and regardless of where in the world you live.
Logging out and back in is simple enough and will work to reset your access token. Take also a moment to review your security settings, especially the Where you’re logged in section.