Facebook Says Hackers Did Not Use Stolen Logins on Third-Party Sites
Facebook on Tuesday said hackers who stole digital keys to tens of millions of accounts appear not to have tampered with third-party applications linked to the social network.
Facebook engineers analysed logs of outside applications and found no sign of trouble, according to product management vice president Guy Rosen.
“That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login,” Rosen said in a blog post.
Facebook revealed on Friday that up to 50 million accounts were breached by hackers, dealing a blow to its effort to convince users to trust it with their data.
The social network is investigating the extent of harm done when hackers exploited a trio of software flaws to steal “access tokens,” the equivalent of digital keys that enable people to automatically log back into the social network.
Facebook chief executive Mark Zuckerberg said engineers discovered the breach on September 25, and had a patch in place two days later.
“We don’t know if any accounts were actually misused,” Zuckerberg said last week. “This is a serious issue.”
Attackers would have been able to meddle with Instagram or Messenger accounts linked to Facebook, but could not have tampered with the social network’s WhatsApp messaging service, according to executives.
Facebook said that it noticed an unusual spike in activity on September 16 related to a “view as” feature and determined nine days later that it was malicious.
Hackers took advantage of a “complex interaction” between three software bugs, which required a degree of sophistication, according to Rosen. The vulnerability was created by a change to a video uploading feature in July of 2017.
As a precaution, Facebook took down the “view as” feature – described as a privacy tool to let users see how their profiles look to other people.
Facebook reset the 50 million breached accounts, meaning users needed to sign back in using passwords.
No passwords were taken in the breach, according to Rosen.
Information hackers appeared interested in included names, genders, and home towns, but it was not clear for what purposes, the executives said in a telephone briefing.
The stolen tokens gave hackers complete control of accounts. Facebook is trying to determine whether hackers tampered with posts or messages.
Hackers could have also accessed third-party applications linked to Facebook accounts.
Facebook said it took a precautionary step of resetting “access tokens” for another 40 million accounts where the “view as” was used.
“We’re sorry that this attack happened and we’ll continue to update people as we find out more,” Rosen said.
The breach is the latest privacy embarrassment for Facebook, which earlier this year acknowledged that tens of millions of users had personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016.