The risk was in the use of single sign-on, a way to let you sign into third-party apps and websites using your Facebook credentials. While this doesn’t give the third party service access to your login details, it does generate an access token that hackers were able to misuse to view private content in accounts.
Reuters reports that a class-action lawsuit alleges that Facebook was aware of the security risks inherent in the single sign-on feature, and took steps to ensure the privacy of its own staff was protected, but did not do the same for its users.
Facebook users suing the world’s largest social media network over a 2018 data breach say it failed to warn them about risks tied to its single sign-on tool, even though it protected its employees, a court filing on Thursday showed […]
“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” the plaintiffs said in a heavily redacted section of the filing in the U.S. District Court for the Northern District of California in San Francisco.
“Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”
The access tokens didn’t give the hackers complete access to accounts, but a flaw in a feature known as View As enabled them to see information that should have been restricted to Facebook friends. The View As feature is designed to allow you to see how your Facebook profile looks to other people.
For 15 million people, hackers were able to access just name and email (or name and mobile number, for those who signed up using that). For a further 14 million people, however, the hackers were able to see a lot more profile information and activity.
This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
I would always advise against the use of any single sign-on service — even the upcoming Apple one. I instead recommend unique, strong passwords for each individual app, website, or service you use.