The Facebook data breach allowed hackers to not only take over user profiles, but to potentially access thousands of third-party apps and websites logged into Facebook. But Facebook says they didn't.
On Friday, September 28, Facebook publicly revealed that an attack on its computer network had exposed the personal information of more than 50 million users. In follow-up conferences with reporters, details emerged that the breach allowed hackers to not only take over user profiles, but also to potentially access thousands of third-party apps and websites logged into Facebook.
This drastically expands the potential impact of the attack. Thousands of apps and websites allow users to access their services by logging in with a Facebook account. This information means that if the hackers had wanted to, they could have accessed everything from your payment history to your travel plans, to your job applications and your Netflix queue. Major companies like Spotify, Tinder, Pinterest, Netflix, Instagram, Airbnb, GrubHub, Ancestry, and Venmo are just a few of the thousands of sites that hackers could have accessed with the login information obtained in the hack.
Facebook’s Single Sign-On feature makes it easy to log into third-party sites without creating a unique password, but this convenient benefit comes with big risks. Because Facebook’s Single Sign-On lacked many basic security protocols, hackers could have potentially accessed everything from private messages on Tinder to individual passport information on Expedia.
Jason Polakis, a computer scientist at the University of Illinois at Chicago, says it's hard to measure the impact of a data breach of this proportion.
“The importance here is that since Facebook has become the most popular identity provider out there it’s not easy to evaluate how many accounts of yours hackers might have accessed,” Polakis said.
The hackers utilized three separate bugs to access 50 million users’ “access tokens.” If your Facebook account was an apartment, these “access tokens” would be the digital equivalent of the key to your front door. Once the hackers had these tokens, they could use them to also access the thousands of other apps and linked services that require a Facebook login for verification.
Courtesy of Market Watch
We don’t know for sure whether or not the hackers did this, but we do know that they had the capability. As of Tuesday, Facebook said it's not likely they did. In a statement, Facebook said that its investigation has found “no evidence so far” that the hackers accessed third-party apps. The investigation is on its sixth day.
If this early assessment is true and the hackers did not access third-party apps using Facebook login, then they did us a huge karmic favor with their restraint. Maybe the net sum total of their power felt too great. Maybe what the hackers learned about you from your Facebook account was so much that they couldn’t possibly take any more. Maybe once the hackers read through your messages and realized the trash-filled cesspool of desperation you truly are, they had just had enough, and decided that they could not possibly bear to learn more about you through third-party apps. (But all of that applies only if Facebook’s still-early assessment is true.)
Even if the hackers didn’t read your Tinder messages or find out about your secret family in Minnesota from your Ancestry account, what’s remarkable is that they could have if they’d wanted to.
Technology executive Graeme Muller said in a statement on the breach, “This is a wake-up call for everyone.”
Courtesy of Bloomberg
In brighter news, Facebook CEO Mark Zuckerberg was also among those affected by the attack.