A Facebook hack which left the accounts of more than 50 million users compromised may have also affected third-party apps such as Tinder, Spotify and Instagram, if people used their Facebook account to register for the services.
The added repercussions of the massive security breach were confirmed by the company later Friday, during a follow-up conference call with reporters. Facebook acknowledged that not only had hackers obtained the ability to access Facebook accounts of affected users, they could also access any other service in which a Facebook account was used for registration.
Thousands of websites and apps including Tinder, Spotify, Airbnb and Instagram allow you to register and sign in using Facebook. This saves users having to create various passwords and usernames for each site.
It’s not clear yet if any third-party accounts were actually compromised, but it means the possible fallout is far more widespread than initially indicated and other companies may need to carry out their own investigations into the matter.
Facebook announced Friday that 50 million accounts were affected by a security breach on September 25. Hackers used a vulnerability in the platform’s code to steal other users’ ‘access tokens’ and log into their accounts. These tokens also allow the attackers to access any other accounts affected users log in to using Facebook.
“The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login,” Guy Rosen, Facebook’s vice president of product, said.
uh this is bad: Facebook telling reporters now that this hack disclosed earlier today would have let hacker login to third party apps through a compromised Facebook account
so basically a Cambridge Analytica redux situation we’re potentially looking at
— Alex Heath (@alexeheath) September 28, 2018
It’s unclear how difficult it would be for an attacker to use an access token to get into a third-party site.
The massive security breach is the latest turmoil to hit Facebook, which is still reeling from the Cambridge Analytica scandal in which personal data belonging to millions of Facebook profiles was harvested by the data analytics firm to target them with political ads.
Facebook also admitted this week that it uses phone numbers provided for security purposes to target individuals with ads as well as shadow contact information – data not directly provided by the user but obtained from their ‘friends’ list.
READ MORE: Facebook using phone numbers submitted for security purposes to target ads
Like this story? Share it with a friend!