Facebook finds ‘no evidence’ hackers accessed third-party apps with its Facebook Login

Facebook has said it’s found “no evidence” that third-party apps were affected by the data breach it revealed last week.

Hackers stole account access tokens on at least 50 million users by exploiting a chain of three vulnerabilities inadvertently introduced by Facebook last year. Another 40 million also may have been affected by the attack. Facebook revoked those tokens — which keep users logged in when they enter their username and password — forcing users to log back into the site again.
But there was concern that third-party apps, sites and services that rely on Facebook to log in — like Spotify, Tinder and Instagram — also may have been affected, prompting companies that use Facebook Login to seek answers from the social networking giant.

Facebook security VP Guy Rosen revealed that investigators “found no evidence” of the intruders accessing third-party apps with its Facebook Login feature. Some sites using the single sign-on also confirmed that there was no indication of a data breach on their end, although they’re not necessarily taking chances.

“We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week,” said Guy Rosen, in a blog post. “That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.”

“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens,” he said.

Admittedly, Rosen said that not all developers use Facebook’s developer tools, so the social network is “building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”