So far, Facebook has found no evidence that even third-party apps were violated in the massive hack on the social networking site.
On Tuesday, the company released an update on the violation that stopped access to nearly 50 million Facebook accounts. A long question was whether third-party apps that use Facebook as a login service were also involved in the hack.
"We've now analyzed our logs for all third-party apps that were installed or logged during the attack" This investigation has found no evidence that the attackers accessed apps through Facebook login, "said Guy Rosen, Facebook's vice president of product management, on Tuesday.
Many popular apps like Tinder, Uber, and Airbnb You can sign up through your Facebook account so you do not have to remember a different password, the only problem with this approach is that Your Facebook account effectively becomes a master key, and if it comes to a breach, you may face hacker risks across all of your connected accounts, according to security researchers, a hacker could use this access to make their car journeys through an Uber account to track or display your private messages on Tinder.
L Last Friday, Rosen himself told reporters that the violation may have affected third-party apps. It's still not clear who did the attack, but the hackers did not loot passwords but special access tokens for each affected user account.
"These access tokens allowed someone to use the account as if they were the account holder," he said. "That means they could have accessed other third-party apps that use Facebook login."
In response to the hack, the company reset the access tokens for 90 million users. This would result in all affected individuals having to re-register with their Facebook accounts and related third-party apps. Unfortunately, not every app can verify that an access token has become invalid for a user, Rosen said Tuesday.
To prevent hackers from exploiting the access tokens on third-party apps, Rosen said, " We & # 39; create a tool that lets developers manually identify the users of their apps that might be affected In the meantime, Rosen recommends that developers follow Facebook's best practices for login security, which requires automatic verification of access tokens.