In brief: As Facebook lurches from one PR disaster to another, the company finally has a little bit of good news—for both it and its customers. Last week's attack that saw hackers steal account access tokens on at least 50 million users doesn't appear to have affected third-party apps such as Spotify, Tinder, and Airbnb.
The vulnerability involved using the platform’s “view as” and video uploader features to steal users' access tokens and take over their accounts. There were concerns that other apps which use Facebook Login might have also been affected, but it looks as if damage from the hack didn’t reach this far.
“We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week,” said Guy Rosen, Facebook’s vice president of product management, in an updated post. “That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.”
“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens,” he added.
Rosen said Facebook is “building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.” It’s designed for those devs who don’t use Facebook’s developer tools.
As noted by Reuters, Facebook might have been quick to put forward the hack's worst-case scenario as a way of complying with Europe’s recent General Data Protection Regulation (GDPR) law. Five million people in Europe were affected by the breach, and if EU regulators find Facebook didn’t do enough to protect its users, the company could face fines reaching up to $1.63 billion.