Facebook says there is no sign that hackers used access tokens to log in to other websites.
Last week, Facebook disclosed that 50m user accounts had been breached by an attack involving the harvesting of access tokens, with the risk of another 40m being compromised.
The breach is the largest in the company’s history and it has been grappling with the aftermath since it publicised the incident.
All-clear from Facebook
Guy Rosen, Facebook’s vice-president of product management, yesterday (2 October) said that investigators had determined that hackers did not use the stolen tokens to access third-party sites via Facebook Login. Users of sites such as Tinder and Spotify had been concerned about the potentially widening scale of the breach.
He said: “We analysed third-party access during the time of the attack we have identified. That investigation has found no evidence that the attackers accessed any apps using Facebook Login.”
Some security experts say that Facebook may have led with a worst-case scenario to ensure that it would be compliant with GDPR, which came into force at the end of May this year. Under GDPR, firms can face tough penalties if rules are not followed.
Companies need to disclose breaches within 72 hours of discovery. According to some security professionals, this narrow window does not give investigators enough time to properly examine the impact of a breach. Former security chief at the company, Alex Stamos, tweeted that the 72-hour GDPR deadline means that companies end up announcing breaches before an investigation is finished. He added that the result means “everybody is confused on actual impact” due to rumours, with the true impact filed at a later date.
Building a tool to help developers
Rosen added that any developer using official Facebook SDKs (software development kits or devkits) and all those that have regularly checked the validity of their users’ access tokens “were automatically protected when we reset people’s access tokens”.
He said that the company is still building a tool as a cautionary measure, enabling developers to manually identify the users of their apps who may have been affected, so they can log those users out.