Life just got worse for the 50 million people caught up in what may be the biggest hack of Facebook ever.
On Friday, the Silicon Valley tech firm revealed that it had detected a security breach in which an as-yet unknown attacker, or attackers, managed to gain access to tens of millions of users' accounts by exploiting vulnerabilities in its software.
But it wasn't until a second, follow-up conference call with reporters on Friday that Facebook acknowledged one of the most alarming parts of the incident: Not only did the hackers obtain the ability to access the Facebook accounts of the affected users, they also had access to any other service in which a person used their Facebook account to register — including apps like Tinder, Spotify, and Airbnb.
Instagram, which is owned by Facebook, may also have been affected.
The revelation drastically widens the potential impact of the hack, putting people's private data elsewhere across the web at risk. It may force the numerous major companies and startups reliant on Facebook's login service to audit their own systems for evidence of malicious activity as a result.
Tinder, Airbnb, and Spotify — perhaps three of the highest-profile tech companies to use Facebook's login service — did not immediately respond to Business Insider's request for comment.
So what happened? In short, the attackers found a way to trick Facebook into issuing them "access tokens" — basically, digital keys — that let them access other users' accounts as if they were that user. After spotting some unusual activity earlier this month, Facebook realized what was going on on Tuesday evening and subsequently revoked these access tokens before disclosing the hack publicly on Friday — though not before 50 million people were affected.
These access keys also let the attackers theoretically access any other services that someone used Facebook's login service to log in to, whether that's dating app Tinder, or a niche smartphone game, and gain access to highly personal information.
It's not clear whether this has actually occurred — when asked, a Facebook exec said only that the company was early in its investigation — but the possibility may force the other companies to undertake their own investigations into the issue.
It's also not yet clear who is behind the attack on Facebook, or whether the attacks were targeted, and the reason behind it. Facebook has now patched the vulnerabilities and revoked the compromised access tokens, forcing affected users to log back in (though their passwords haven't been compromised, the company says) and notifying them about the issue.
But there are at least two high-profile victims of the hack that we know about: Facebook CEO Mark Zuckerberg, and COO Sheryl Sandberg. A spokesperson confirmed that the company's two top execs were both among the tens of millions of users affected.
Do you work at Facebook? Got a tip? Contact this reporter via Signal or WhatsApp at +1 (650) 636-6268 using a non-work phone, email at firstname.lastname@example.org, WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.