Facebook hack update: Attackers did not use stolen tokens to access other sites and apps
Since the revelation that a "security issue" allowed hackers to steal access tokens to view people's Facebook accounts, the company has provided a further update about the incident. Facebook has already provided one update about the attack, but now the investigation has progressed and the social network is trying to offer reassurances to those who have understandable concerns about security.
The company says that the attackers did not access any apps that make use of Facebook Login, the system that makes it possible to sign into other accounts and services with Facebook credentials.
- Facebook rolls out new tools to help those suffering bullying and harassment
- Facebook shares more details about its massive security breach -- after blocking people from sharing news about it
- Facebook hack: 50 million users affected by site code flaw
Restating the fact that it has reset the access token for 90 million accounts -- which breaks down as "50 million that had access tokens stolen and 40 million that were subject to a View As look-up in the last year" -- Facebook says that the vulnerability has now been addressed. But of course the investigation has been continuing and in its latest update about the incident Facebook addresses concerns about Facebook Login.
In a blog post, Guy Rosen, vice president of product management, says:
We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.
Rosen goes on to say:
Any developer using our official Facebook SDKs -- and all those that have regularly checked the validity of their users' access tokens -- were automatically protected when we reset people's access tokens. However, out of an abundance of caution, as some developers may not use our SDKs -- or regularly check whether Facebook access tokens are valid -- we're building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.
The investigation continues, and Facebook says it will provide further updates in due course.