Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Facebook Says No Apps Were Accessed in Recent Hack

Facebook has shared another update on the hacker attack disclosed last week. The social media giant says there is no evidence that the attackers accessed any third-party apps.

Facebook revealed on September 28 that it had reset the access tokens for 90 million accounts, including 50 million that were directly impacted and 40 million deemed at risk.

Facebook has shared another update on the hacker attack disclosed last week. The social media giant says there is no evidence that the attackers accessed any third-party apps.

Facebook revealed on September 28 that it had reset the access tokens for 90 million accounts, including 50 million that were directly impacted and 40 million deemed at risk.

Hackers obtained access tokens for nearly 50 million accounts after exploiting three distinct bugs in the View As feature, which shows users how others see their profile, and a video uploader interface introduced in July 2017. The vulnerability was patched and Facebook informed users in its initial blog post that it had found no evidence of misuse, but noted that its investigation is ongoing.

The company admitted that the attackers could have accessed not only Facebook accounts with the compromised tokens, but also third-party apps that use Facebook login. Resetting the tokens eliminated the risk of unauthorized access to these applications, but Facebook still had to figure out if any apps were accessed during the attack.

A blog post published by the company on Tuesday said there was no evidence of unauthorized access to apps based on an analysis of logs for all third-party apps installed or logged in during the attack.

Facebook has also created a tool to help developers determine if any of their users have been impacted.

“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens,” explained Guy Rosen, VP of Product Management at Facebook. “However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”

Facebook has advised developers to use its official SDKs for Android, iOS and JavaScript as these automatically check the validity of access tokens, and log their users out of the app when error codes show an invalid session.

Advertisement. Scroll to continue reading.

Facebook has yet to provide any information on the attackers and their motives, and the attack does not appear to be targeted at a specific country or region.

The social media giant faces lawsuits and government investigations as a result of the incident, and the company’s stock has been steadily falling since the disclosure of the breach. It dropped from nearly $169 on September 27 to just over $159 on Tuesday.

Related: Industry Reactions to Facebook Hack

Related: Several Bugs Exploited in Massive Facebook Hack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...