Why it matters: Facebook's bad year isn't getting any better. As the dust from the Cambridge Analytica scandal started to settle, the social network revealed a security vulnerability that could have exposed 50 million accounts. But the company has confirmed the hack is worse than first suspected: other apps that use Facebook’s login service, including Spotify, Tinder, and Airbnb, could have also been compromised using the vulnerability.
Facebook announced Friday that it identified the security issue earlier in the week. It involved exploiting a vulnerability in the “view as” feature, which lets people to see how their profiles look to others. The fault allowed hackers to steal Facebook’s access tokens and take over people's accounts. As a security measure, Facebook forced over 90 million users to log out.
Facebook said there was no evidence the hackers had access to "private messages or posts," but warned "that may change" as the investigation continues.
Following the initial announcement, Facebook revealed in a follow-up conference call that other services using the company’s login feature could also be at risk of having these accounts compromised. Many apps and websites allow people to sign-up using their Facebook credentials, and while there’s been no confirmation of any being breached, it’s another concern for the company and its users.
“The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login,” said Guy Rosen, Facebook’s vice president of product.
Facebook's photo- and video-sharing app Instagram could also have been affected.
Facebook said it has patched the vulnerability and reset the access tokens of all the accounts known to have been affected by this breach, but it’s not enough to repair the PR damage that’s been done. The fact that CEO Mark Zuckerberg and COO Sheryl Sandberg were among two of those affected by the hack hasn’t helped matters. Since the news broke, $12 billion has been wiped from the company's value.
If all this hasn’t been enough to deal with, this week also saw Facebook admit that it uses 2FA phone numbers for ad targeting purposes.