You might have heard about the Facebook security breach that affected anywhere from 50 million to 90 million users. Well, it turns out that it was worse than initially reported, according to Wired. While it was established that hackers could “see everything in a victim’s profile” and Facebook “automatically logged out 90 million Facebook users from their accounts this morning,” it wasn’t until later on Friday that Wired discovered a new layer to the breach.
“What it failed to mention initially, but revealed in a followup call Friday afternoon, is that the flaw affects more than just Facebook. If your account was impacted it means that a hacker could have accessed any account that you log into using Facebook.”
This feature, called “Single Sign-on,” was developed to make it easier for people to sign up on new websites. Instead of creating a profile from scratch, for example, users could simply opt to “sign in” using their Facebook credentials.
So with the new information, it’s possible that people’s accounts all over the internet are jeopardized as a result of the hack. Wired further elaborated.
“It’s unclear how long those third-party sites will accept the stolen access tokens, or how difficult it would be for an attacker to use an access token to get into a third-party site.”
Facebook hasn’t confirmed any security breaches in relation to third-party sites, and further details are still fuzzy.
“The breach impacted Facebook's implementation of Single Sign-On, the practice that lets you use one account to log into others…through an entity you trust.” Let’s play “spot the flaw in the argument.” https://t.co/Kq9uirvqsq
— Peter Coffee (@petercoffee) September 29, 2018
Single Sign-on is a fairly popular option that was rolled out in 2010, detailed CNET. The concept hasn’t changed in the past eight years, with the option making it possible for people to users to easily connect with third-party apps and services. Some of the first sites that used the feature included Yelp, while currently, it’s used by giants like Spotify, Airbnb, and Tinder.
— Larry Kim (@larrykim) September 29, 2018
The revelation may not come as a huge shock to those in the tech industry, as Wired even warned users of the pitfalls of single sign-on back in April. The main focus then was that the third-party apps could gain personal data without the users’ knowledge. Personal information could include things like birthdays, email address, age, and name.
However, in today’s scenario, the single sign-on’s biggest pitfall is that if Facebook is hacked, then all of your accounts throughout the internet could be part of the breach. It’s really no different than if you use a single password for all of your important login information, and a hacker discovers the one password. Then, they can access all of your sites.
For now, the severity of the fallout is still under investigation, as Guy Rosen, Facebook’s vice president of product, stated.
“We’re just starting to work through the full scope of what we’ve seen here,” Rosen said,