Hours after Facebook announced on Friday a huge data breach that affected at least 50 million users, the news got worse.
In a conference call with reporters—Facebook’s second of the day, after the first one left many questions unanswered—the company’s vice president of product, Guy Rosen, said that the hackers could have also gained access to users’ accounts on other apps and websites, beyond Facebook itself, via Facebook Login. That’s the feature of Facebook that allows you to sign up for, and log in to, all kinds of other online services using your Facebook credentials. For users whose Facebook accounts were hacked, the company confirmed, it’s possible that those third-party accounts could have been breached as well.
The follow-up call was meant to clarify some of the details of the breach, which is almost certainly the most significant in Facebook’s history. In it, Rosen explained how three separate bugs combined to give hackers a path to full control of users’ Facebook accounts. They gained access not by stealing users’ passwords, but via a sort of digital key called an “access token” that’s meant to let you into your account on another device (say, your phone) automatically when you’re already logged in on another (say, your laptop).
The good news is that the hackers don’t have anyone’s Facebook passwords—so even users who were affected by the breach don’t necessarily have to change those. The bad news: They could theoretically have used that same token to gain access to some of users’ other online accounts, depending on how the relevant apps and sites handle Facebook access tokens. It was not immediately clear whether the hackers—who remain unknown—actually took advantage of this, nor how easy it would have been for them to do so.
Any such connections should have been broken when Facebook reset the access tokens of the affected users, beginning Thursday night. That would have logged users out of those third-party apps and sites.
Facebook also clarified that users affected by the Facebook breach who had Instagram or Oculus accounts linked to their Facebook account would need to delink and relink those accounts. One piece of good news: Whatsapp was apparently not affected. The story is still developing, and more details are likely to emerge in the days to come.
But there’s already one conclusion we can make: There was a time when Facebook harbored ambitions to be a sort of “universal login” for sites and apps everywhere—like a driver’s license for the online world. That never quite came to pass, but it did get pretty far along. This should be the final answer to the question of whether it was ever a good idea.