New York
CNN Business
—
A significant breach at Facebook could have also impacted users of numerous other applications and websites. However, three days after the breach was disclosed to the public, it remains uncertain whether these companies are aware of any potential consequences for their users.
A representative from the dating application Tinder mentioned on Monday that Facebook has only provided “limited information” and urged Facebook to be more “transparent” regarding which of Tinder’s users may have been impacted.
In a statement released on Monday, Facebook indicated that it was preparing further guidance for application developers.
Various digital platforms, including well-known services like Tinder, Spotify, and Airbnb, enable users to create accounts using their Facebook credentials through a method known as Single Sign-On (SSO).
The breach, which Facebook claims affected 50 million of its users, could have allowed hackers to access their Facebook accounts and the accounts on apps and websites that utilize Facebook for SSO.
CNN contacted nearly a dozen companies that provide Facebook login capabilities. None confirmed whether they had pinpointed any overlap between their users who log in via Facebook and the 50 million Facebook users whose data was compromised.
Identifying such overlap enables companies to investigate whether data belonging to affected Facebook users may have also been compromised on their platforms.
Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago, remarked that while single sign-on is a valuable tool, it also carries significant risks.
“The critical aspect here is that since Facebook has emerged as the predominant identity provider, it’s challenging to assess how many accounts may have been accessed by hackers,” stated Polakis, who has researched this feature in depth.
In an announcement to CNN on Monday, Tinder confirmed that it has conducted “a comprehensive forensic investigation” since Facebook’s “limited” disclosure and found “no evidence” indicating that accounts were accessed.
Tinder further expressed, “We will maintain our investigation and stay vigilant — as we always do — and it would greatly assist our inquiry if Facebook could share the lists of affected users transparently.”
A representative from Tinder noted that the majority of its new users register for the service without using a Facebook login.
Pinterest, another platform that allows users to log in via Facebook, informed CNN that it is collaborating with Facebook to ascertain whether any Pinterest users were affected.
Facebook communicated in a statement on Monday that developers of applications utilizing Facebook login “can observe the forced logout measures we implemented on Friday and safeguard the individuals using their apps.”
“We are in the process of preparing additional recommendations for all developers in response to this incident and to enhance user protection going forward,” a Facebook spokesperson elaborated.
Both Airbnb and GoFundMe, leading services that enable Facebook login, have not responded to CNN’s requests for comments.
Spotify assured CNN that it takes its users’ privacy and security very seriously.
The company added, “As a precaution, users who have concerns may update their Spotify password, or if their account was created using Facebook, follow Facebook’s guidelines for login.”
This advisory follows Facebook’s assurance to users that they need not change their passwords since the hackers did not access passwords.
No company contacted by CNN elaborated on the specific measures they were implementing to assure their users that they were not affected by the Facebook breach.
Headspace, a meditation and wellness application, informed CNN, “We’ve looked into the issue and found no irregularities; however, we have taken precautionary measures to safeguard our members and are continuously monitoring the situation.”
The company did not specify the nature of its investigation or the precautionary actions taken.
Other applications that let users log in via Facebook also implement extra security measures in addition to this login method.
A spokesperson for Ancestry shared with CNN, “While Ancestry supports Facebook login for certain functionalities, we always require an additional Ancestry username and password for accessing sensitive account features like downloading DNA data, modifying passwords, changing email addresses, or accessing payment information. These additional controls significantly limit our customers’ exposure.”
TransferWise, a money transfer service that permits Facebook login, indicated that its investigation is ongoing, but it has “no indication” that its customers have been affected.
The company stated that to transfer any funds, users are required to verify their identity through a secondary method that does not involve Facebook.
