Facebook doesn't think hackers accessed third-party sites

Facebook says it has not found any evidence "so far" that its attackers accessed third-party sites through F...

Posted: Oct 3, 2018 10:11 AM
Updated: Oct 3, 2018 10:12 AM

Facebook says it has not found any evidence "so far" that its attackers accessed third-party sites through Facebook Login.

It's a sliver of good news about a massive data breach that the company first disclosed last week. Attackers accessed as many as 50 million accounts in the largest such breach of Facebook's network.

"We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login." said Facebook's Guy Rosen in a statement.

On Friday, Facebook announced unknown attackers had exploited a vulnerability to access the accounts. They were able to view other people's Facebook profiles as if they were the accounts' owners. For example, they could see friends' profiles and updates.

Facebook says it closed the loophole on Thursday night, but 90 million users were forcefully logged out of their accounts as a precaution.

The attackers stole Facebook "access tokens," which keep a person logged into their Facebook account over long periods. Facebook reset all 50 million tokens, as well as tokens for an additional 40 million people who had used the "view as" feature in the past year as a precautionary step.

During a call about the hack last week, Rosen said the attackers would have also been able to access third-party sites using Facebook Login, but the company had found no evidence of them doing so.

Hundreds of sites and apps including Tinder, Spotify and Airbnb use Facebook Login, which lets people access the services with their Facebook username and password. Early this week, developers were confused about whether their services had been exposed in the Facebook hack.

The company says partners following Facebook "best practices" were automatically protected. Some developers might not have followed those rules, and they could have put their users at risk.

"We're sorry that this attack happened — and we'll continue to update people as we find out more," Rosen said.

-- CNN's Donie O'Sullivan contributed reporting.

Article Comments

Mason City
Clear
22° wxIcon
Hi: 30° Lo: 17°
Feels Like: 10°
Albert Lea
Broken Clouds
21° wxIcon
Hi: 31° Lo: 16°
Feels Like: 14°
Austin
Overcast
28° wxIcon
Hi: 33° Lo: 19°
Feels Like: 23°
Charles City
Overcast
28° wxIcon
Hi: 27° Lo: 18°
Feels Like: 20°
Rochester
Overcast
25° wxIcon
Hi: 26° Lo: 16°
Feels Like: 16°
Light Snowfall for Wednesday
KIMT Radar
KIMT Eye in the sky

Latest Video

Image

Osage moves on to semifinals

Image

Roch Firefighters sell shirts for charity

Image

Impeachment hearings: Day one

Image

Saving Pete's Kitchen

Image

Practicing creativity in One Discovery Square

Image

StormTeam 3 Tour at Sibley Elementary in Albert Lea

Image

Chris' PM Weather Forecast 11/13

Image

Don't pull over to use your phone

Image

Avoiding Cats under car hoods

Image

Downtown Quarterly Update

Community Events