Last week Facebook reported an important data breach that resulted in between 50 and 90 million accounts potentially compromised. This is more serious than the Cambridge Analytica issue reported earlier this year, because unlike that infamous case, this last breach provided attackers with access tokens for these accounts.
“The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login,” said Guy Rosen, Facebook’s Vice President of product. Imagine the following scenario then: someone shares on Facebook their favorite vacation spot from Airbnb, and the hackers use the stolen token to access his Airbnb account and get information about the rental properties that this user owns. Any site that relies on Facebook’s Single Sign-On, like Airbnb or Spotify to name a few, is affected by the data breach.
Even though it’s unclear if any of these accounts or access tokens were actually misused in any way (Facebook is still investigating), many security experts recommended affected users to reset their passwords as an added precaution measure. I was one of the affected users, and when I found myself struggling to define my new Facebook password (the 3rd one I’m forced to use in 2018), I knew it was time to stop using Facebook’s login and start using a password manager.