Facebook has claimed to have found no evidence that third-party apps were affected by a recently disclosed breach where attackers stole access keys for 50 million user accounts.
VP of product management, Guy Rosen, explained in an update on Tuesday that no signs have been uncovered during the investigation to indicate that “the attackers accessed any apps using Facebook Login.”
“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens — were automatically protected when we reset people’s access tokens,” he continued.
“However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”
Rosen took the opportunity to repeat Facebook Login security best practices for developers: namely that they use Facebook’s official SDKs, as these automatically check the validity of access tokens every day and force a fresh login if the social network resets them.
They were also urged to use the Graph API to keep information updated regularly and “always log users out of apps where error codes show that any Facebook session is invalid.”
Although the news will be welcomed by any companies running third-party apps that can be logged-in to via Facebook, the aftershocks of the breach itself are still coming.
Some reports have suggested Facebook log-ins are up for sale on the dark web for between $3 and $12, by trusted vendors — although there’s no confirmation that their appearance is linked to the cyber-attack reported late last week.
While most reports currently circulating — particularly those purporting that the firm is facing a GDPR fine of over $1bn — are speculative at best, there is a potential risk for users of follow-on phishing and ransom attacks.
These could include small snippets of info gleaned from any compromised accounts to make the scam appear more legitimate. Such tactics have already been used in the past to try to extort money from victims. Even those not affected by the breach could be targeted by phishers looking to capitalize on the notoriety of the incident.