A massive Facebook breach may also have affected users of hundreds of other websites and apps. But three days after the public disclosure of the breach, it’s not clear that those companies know what, if anything, might have happened to their users.
A spokesperson for the dating app Tinder said Monday that Facebook has shared only “limited information” and called on Facebook to be “transparent” about which of Tinder’s users may have been affected.
In a statement Monday, Facebook said it was preparing more guidance for app developers.
A wide range of digital services, including big names like Tinder, Spotify and Airbnb, allow users to log in to accounts on their platforms using their Facebook credentials, a process known as Single Sign-On, or SSO.
The breach, which Facebook has said affected 50 million of its users, would have allowed hackers to log in as those people on Facebook and on apps and websites that allow SSO though Facebook.
CNN reached out to almost a dozen companies that offer the Facebook login capability. None of them would say if they had identified any overlap between their users who log in using Facebook and the 50 million Facebook users whose data was exposed.
Identifying that overlap could allow the companies to examine if affected Facebook users’ data was also compromised on their platforms.
Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago, said that single sign-on is a useful feature, but also a very risky one.
“The importance here is that since Facebook has become the most popular identity provider out there it’s not easy to evaluate how many accounts of yours hackers might have accessed,” said Polakis, who has studied the feature extensively.
In a statement to CNN on Monday, Tinder said it has done “a full forensic investigation” since Facebook’s “limited” disclosure and has found “no evidence to suggest accounts have been accessed.”
Tinder continued, “We will continue to investigate and be vigilant — as we always are — and if Facebook would be transparent and share the affected user lists, it would be very helpful in our investigation.”
A Tinder spokesperson pointed out that most of its new users sign up to the service without using a Facebook login.
Pinterest, another company that allows its users to log in using Facebook, told CNN that it was working with Facebook to determine if any Pinterest users were impacted.
Facebook said in a statement Monday that developers of apps that use Facebook login “can detect the forced logout actions we took on Friday and protect people using their apps.”
“We are preparing additional recommendations for all developers responding to this incident and to protect people going forward,” a Facebook spokesperson added.
Airbnb and GoFundMe, two major services that allow users to log in through Facebook, did not respond to CNN’s requests for comment.
Spotify told CNN it takes the security of its users’ privacy very seriously.
The company added that “as a precaution, concerned users can update their Spotify password, or if the account was created through Facebook, the Facebook login via their instructions.”
The precautionary advisory comes after Facebook told users that they didn’t need to change their passwords because the hackers did not have access to passwords.
No company that CNN reached out to explained what practical steps they were taking to ensure their users had not been affected by the attack on Facebook.
Headspace, a meditation and wellness app, told CNN, “We’ve investigated the matter and found no abnormalities, though we have initiated precautionary measures to protect our members and are continuing to monitor.”
The company did not detail what its investigation entailed nor what precautionary measures it took.
Other apps allow their users to log in through Facebook but have additional security measures on top of that login.
A spokesperson for Ancestry told CNN, “While Ancestry does support Facebook login for some functions, we always require an additional Ancestry username and password to access sensitive account functions such as downloading your DNA data, changing your password, changing your email address or accessing payment information. Our customers’ exposure is minimized by these additional controls.”
TransferWise, a money wire service that allows users to log in through Facebook, said its investigation was underway but that it had “no indication” that its customers had been affected.
The company said that in order for any money to be transferred users are asked to verify their identity through a second step that does not involve Facebook.