New York
CNN Business
—
Facebook’s massive breach could also have affected users of hundreds of other websites and apps. But three days after the breach was publicly disclosed, it’s unclear whether the companies know what, if anything, may have happened to their users.
A spokesman for dating app Tinder said on Monday that Facebook had shared only “limited information” and called on Facebook to be “transparent” about which Tinder users may have been affected.
Facebook said in a statement on Monday that it was preparing more guidance for app developers.
Various digital services including Tinder, Spotify and Airbnb allow users to use Facebook credentials to log into accounts on their platforms, a process known as single sign-on (SSO).
Facebook said the breach affected 50 million users and allowed hackers to log into Facebook as those users, as well as applications and websites that allow single sign-on through Facebook.
CNN contacted nearly a dozen companies that offer Facebook login capabilities. Neither disclosed whether they found any overlap between users who logged in using Facebook and the 50 million Facebook users whose data was compromised.
Determining this overlap could allow the company to examine whether affected Facebook users’ data was also compromised on its platform.
Jason Polakis, assistant professor of computer science at the University of Illinois at Chicago, said single sign-on is a useful feature, but it is also a very dangerous one.
“The importance here is that since Facebook has become the most popular identity provider, it’s not easy to assess how many accounts a hacker might have accessed,” said Polakis, who has studied the feature extensively.
Tinder said in a statement to CNN on Monday that it had conducted a “comprehensive forensic investigation” since Facebook’s “limited” disclosure and found “no evidence that the account had been accessed.”
Tinder continued: “As always we will continue to investigate and remain vigilant, and it would be very helpful to our investigation if Facebook could be transparent and share a list of affected users.”
A Tinder spokesperson noted that most new users sign up for the service without logging in with Facebook.
Pinterest, another company that allows users to log in with Facebook, told CNN it is working with Facebook to determine if any Pinterest users were affected.
Facebook said in a statement on Monday that app developers who use Facebook Login “can detect the forced logout action we took on Friday and protect users using their apps.”
A Facebook spokesperson added: “We are preparing additional advice for all developers responding to this incident and to keep people safe.”
Airbnb and GoFundMe, two major services that allow users to log in through Facebook, did not respond to CNN’s requests for comment.
Spotify told CNN it takes the security of user privacy very seriously.
The company added, “As a precaution, concerned users can update their Spotify password or, if the account was created through Facebook, follow their instructions to log in with Facebook.”
Facebook told users they didn’t need to change their passwords because hackers couldn’t access them, and issued preventive advice.
None of the companies contacted by CNN explained what practical steps they were taking to ensure their users were not affected by the Facebook attack.
Meditation and wellness app Headspace told CNN, “We have investigated the matter and found nothing unusual, but we have taken precautions to protect our members and continue to monitor.”
The company did not elaborate on the investigation or what precautions were taken.
Other apps allow users to log in through Facebook, but have additional security measures in place beyond just logging in.
An Ancestry spokesperson told CNN, “While Ancestry does support certain Facebook Login features, we have always required an additional Ancestry username and password to access sensitive account features, such as downloading DNA data, changing passwords, changing email addresses, or accessing Payment information. With these additional controls, our customers’ exposure is minimized.”
TransferWise, a money transfer service that allows users to log in through Facebook, said an investigation was ongoing but there was “no indication” that its customers had been affected.
In order to transfer any funds, users will need to verify their identity through a second step that does not involve Facebook, the company said.