Facebook: Attackers Did Not Breach Third-Party Sites

Facebook has said it has no reason to believe that hackers who breached the social network last week also penetrated third-party accounts that allow Facebook logins.

Popular sites including Tinder, Airbnb and Spotify allow users to gain access by entering their Facebook credentials.

When it reported the hack last week, Facebook initially said it was possible the attackers had stolen access tokens and used them to gain entry to such third-party accounts.

The company has now said in a statement that it has found no evidence “so far” that the intruders have in fact done so.

Immediate disclosure

“We’re sorry that this attack happened — and we’ll continue to update people as we find out more,” wrote Facebook vice president of product management Guy Rosen in a blog post.

The delay in Facebook’s release of its findings is due to the fact that under new European data protection regulations, companies are required to report breaches within 72 hours.

The GDPR requirements mean firms must report incidents while they are still carrying out their investigations.

Alex Stamos, Facebook’s chief security officer until August of this year, said the rules meant added difficulties for investigators.

He cited a breach at a financial institution in which the company delayed reporting the incident while it worked with the US Secret Service to successfully lure the attackers into a trap.

Rapid disclosure prevents “any possible coordination with law enforcement”, he wrote on Twitter.

But other commentators said users have a right to know when their data has been accessed in a breach.

“If I was in charge of incident response I would want more time,” tweeted James, a security researcher. “But normally I’m the customer (or victim) — and I’d like to know ASAP.”

Engineering flaw

Facebook said it believes up to 50 million accounts have been affected by the breach.

The company reset the access tokens of another 40 million users as a precautionary measure.

The problem was due to a bug in ‘View As’, a feature that allows users to see what their profile looks like to other users.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook said last week. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

The date protection commissioner of Ireland, where Facebook’s European headquarters is located, estimated that less than 10 percent of the accounts affected belong to European users.

The fact that Europeans are affected means, however, that Facebook could be exposed to action under the GDPR, which allows for stiff financial penalties.

The Wall Street Journal estimated Facebook could face a maximum fine of $1.63bn (£1.26bn), or 4 percent of its annual global turnover.

The Irish data protection office said this week it is preparing to open an investigation into the matter under the GDPR.

The office said it is engaging in steps preliminary to an investigation, including information-gathering, establishing the scope of the inquiry and determining under which GDPR provisions the probe would be carried out.

The commissioner’s office that while Facebook had been timely in its notification of the breach, its notice “lacked detail”, making it difficult to determine the nature of the breach and the risks posed to users.