A new report claims that Facebook’s latest hack, which affected up to 50 million users, could also impact Facebook-linked apps such as Instagram, Airbnb, and Tinder.
It was recently reported that a security bug related to a vulnerability in Facebook’s “view as” feature which allowed users to see what their own Facebook profile would look like to someone else, allowed hackers to steal the security tokens of other users accounts and use these to then access that user’s account. Now it appears that the same security tokens could be used to access accounts of websites that use the “Facebook Login” feature.
This means that any third-party app that uses the “Facebook Login” feature could be at risk, including apps such as Instagram, Tinder, Airbnb and many others. Guy Rosen, Facebook’s vice president of product management, stated in the blog post revealing the bug: “The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves.”
A spokesperson for the National Cyber Security Center commented on the latest hack stating: “There is no evidence that people have to take action such as changing their passwords or deleting their profiles. However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”
Facebook could also face major fines in the EU for their latest security breach. A report from the Wall Street Journal states:
A European Union privacy watchdog could fine Facebook Inc. as much as $1.63 billion for a data breach announced Friday in which hackers compromised the accounts of more than 50 million users, if regulators find the company violated the bloc’s strict new privacy law.
Ireland’s Data Protection Commission, which is Facebook’s lead privacy regulator in Europe, said Saturday that it has demanded more information from the company about the nature and scale of the breach, including which EU residents might be affected.
In an emailed statement, the regulator said it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
A spokeswoman for Facebook said Sunday that the company will respond to follow-up questions from Ireland’s DPC and keep regulators apprised of further developments. Facebook Chief Executive Mark Zuckerberg said Friday that the social network was taking the breach very seriously, and that it is still trying to determine many details around the scope and impact of the incident.