Stolen login IDs never misused, confirms FB
● Investigation has found no evidence of hackers accessing any apps using Facebook Login. ● They may have painted worst- case scenario to comply with new EU rules.
Facebook Inc said on Tuesday that investigators have determined that hackers did not access other sites that use the social networking site’s single sign- on in a massive cyber attack that the company disclosed last week.
“We analysed thirdparty access during the time of the attack we have identified. That investigation has found no evidence that the attackers accessed any apps using Facebook Login,” said Guy Rosen, a Facebook vice president overseeing security, in a statement sent to Reuters.
The new announcement comes after Facebook last week disclosed its worst- ever security breach, saying hackers had stolen login codes that allowed them to access nearly 50 million Facebook accounts.
Facebook shares fell for a third day, dropping 1.9 per cent to $ 159.33. Rosen had warned on a conference call that the hackers could have also accessed third- party websites and apps that allow users to access their accounts using Facebook logins. Some security experts, including a former Facebook executive, said the company may have painted a dire, worst- case scenario when it disclosed the attack to ensure that compliance with strict new European Union privacy rules that took effect in late May.
The EU’s General Data Protection Regulation, or GDPR, imposes steep penalties if companies fail to follow rules that include a requirement that they disclose breaches within 72 hours of discovery. That is a tight window that security experts say does not give investigators adequate time to determine the impact of the breach.
“Interesting impact of the GDPR 72- hour deadline: Companies announcing breaches before investigations are complete,” former senior Facebook CISO Alex Stamos said in a tweet.
The result is that “everybody is confused on actual impact, lots of rumours,” he tweeted, adding that “a month later, the truth is included in the official filing.” The social networking company’s initial warning that the attackers may have acessed external accounts using Facebook Login was alarming because more than 42,000 websites use the service, according to estimates from esearchers with the University of Illinois at Chicago. The warnings prompted some sites to launch their own investigations amid concerns that the attack could highly reverberate across the internet.
UK- based travel site Skyscanner and IKEA’s TaskRabbit, which provides home repairs and furniture assembly, said they would probe the potential impact on their customers. Ridehailing service Uber Technologies said it has closed active sessions using Facebook login credentials as it investigated the matter.