It’s been three days since Facebook reported that hackers obtained access tokens for 50 million user accounts, in what is believed to be the largest such data breach in its history. Here’s what we’ve learned since then — and what we haven’t.
One, the breach may have affected other third-party services that use the Facebook Connect identity platform. Several large internet services rely heavily on Facebook logins, including Spotify, Airbnb, and Tinder. Anyone who had full access to a user’s account would have been able to log into those services as well, possibly undetected.
Notably, none of these Facebook Connect customers have had much to say about the effect of the breach on their own services, likely because they are still investigating. Tinder was the exception, saying Facebook had shared only limited information and calling on it to share more.
The third-party developer situation set off a secondary debate about the wisdom of using Facebook login. On the pro side, Facebook login offers enhanced security measures such as “risk-based logins” — challenging users to provide additional information if it suspects a password has been stolen. On the con side, Facebook’s dominance has created something resembling to a single point of failure for online security.