Facebook: there's 'no evidence' third-party apps were impacted by data breach, yet

Facebook said as far as it could see, the vulnerabilities didn't extend to its single sign-on feature / Facebook

Following confirmation that at least 50 million Facebook accounts were compromised by hackers last week, the social network claims to have found "no evidence" that the data breach extended to third-party accounts users may have linked to their profiles.

Over the past few days, there's been some concern that the vulnerability would have a wider-reaching impact than first anticipated. Questions were raised about whether outsiders gained access to any external apps users' had linked to their Facebook accounts, like Spotify and Tinder. However, Facebook said the vulnerabilities didn't extend to its single sign-on feature – which lets people use the service to sign up for external apps and services via their profile.

The company's own probe found no sign of hackers stealing automated log-in credentials (or in tech speak 'access tokens').

"We’ve had questions about what exactly this attack means for the apps using Facebook Login," said Guy Rosen, Facebook's vice-president of product development in a blog.

"We have now analysed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login."

Just because Facebook's internal investigation hasn't found any misuse of stolen access tokens on third-party sites, though, doesn't mean it won't be an issue.

The platform is building "a tool" to allow developers to manually identify users who may have been affected. The feature will also let third-party providers log users out of their services, which resets the access token and protects their security.

The Drum has reached out to Spotify, Airbnb, Uber and Tinder to see if they will be using the tool. At the time of writing, the companies hadn't yet issued a response.

Dana Simberkoff, chief risk, privacy, and information security officer for enterprise security firm Avepoint told the Guardian using single sign-on carries heavy security risks for users.

"You should not use one app to log into another, because when one of those systems is compromised, everything else you interact with can be as well," he said.

Last week, Facebook revealed that multiple bugs in its 'view as' and video posting features exposed people to hackers. It said specific posts containing personal information such as age, gender and location were bugged, however, assured users that their password and credit card information was safe.

In response, Facebook logged out 50 million people it knows were affected by the attack, as well as an additional 40 million who were looked up using the 'view as' tool in the last year. It has also temporarily dropped that capability.

Facebook could face a $1.6bn GDPR fine over the breach.

The news came just months after its Cambridge Analytic scandal, which revealed the information of up to 87m Facebook users to political firms and cost Facebook a lot of money in apology ads.

Get The Drum Newsletter

Build your marketing knowledge by choosing from daily news bulletins or a weekly special.