Tinder, Pinterest and others struggle to determine how Facebook hack affects their users

A massive Facebo...

Posted: Oct 2, 2018 11:00 AM
Updated: Oct 2, 2018 11:00 AM

A massive Facebook breach may also have affected users of hundreds of other websites and apps. But three days after the public disclosure of the breach, it's not clear that those companies know what, if anything, might have happened to their users.

A spokesperson for the dating app Tinder said Monday that Facebook has shared only "limited information" and called on Facebook to be "transparent" about which of Tinder's users may have been affected.

In a statement Monday, Facebook said it was preparing more guidance for app developers.

A wide range of digital services, including big names like Tinder, Spotify and Airbnb, allow users to log in to accounts on their platforms using their Facebook credentials, a process known as Single Sign-On, or SSO.

The breach, which Facebook has said affected 50 million of its users, would have allowed hackers to log in as those people on Facebook and on apps and websites that allow SSO though Facebook.

CNN reached out to almost a dozen companies that offer the Facebook login capability. None of them would say if they had identified any overlap between their users who log in using Facebook and the 50 million Facebook users whose data was exposed.

Identifying that overlap could allow the companies to examine if affected Facebook users' data was also compromised on their platforms.

Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago, said that single sign-on is a useful feature, but also a very risky one.

"The importance here is that since Facebook has become the most popular identity provider out there it's not easy to evaluate how many accounts of yours hackers might have accessed," said Polakis, who has studied the feature extensively.

In a statement to CNN on Monday, Tinder said it has done "a full forensic investigation" since Facebook's "limited" disclosure and has found "no evidence to suggest accounts have been accessed."

Tinder continued, "We will continue to investigate and be vigilant — as we always are — and if Facebook would be transparent and share the affected user lists, it would be very helpful in our investigation."

A Tinder spokesperson pointed out that most of its new users sign up to the service without using a Facebook login.

Pinterest, another company that allows its users to log in using Facebook, told CNN that it was working with Facebook to determine if any Pinterest users were impacted.

Facebook said in a statement Monday that developers of apps that use Facebook login "can detect the forced logout actions we took on Friday and protect people using their apps."

"We are preparing additional recommendations for all developers responding to this incident and to protect people going forward," a Facebook spokesperson added.

Airbnb and GoFundMe, two major services that allow users to log in through Facebook, did not respond to CNN's requests for comment.

Spotify told CNN it takes the security of its users' privacy very seriously.

The company added that "as a precaution, concerned users can update their Spotify password, or if the account was created through Facebook, the Facebook login via their instructions."

The precautionary advisory comes after Facebook told users that they didn't need to change their passwords because the hackers did not have access to passwords.

No company that CNN reached out to explained what practical steps they were taking to ensure their users had not been affected by the attack on Facebook.

Headspace, a meditation and wellness app, told CNN, "We've investigated the matter and found no abnormalities, though we have initiated precautionary measures to protect our members and are continuing to monitor."

The company did not detail what its investigation entailed nor what precautionary measures it took.

Other apps allow their users to log in through Facebook but have additional security measures on top of that login.

A spokesperson for Ancestry told CNN, "While Ancestry does support Facebook login for some functions, we always require an additional Ancestry username and password to access sensitive account functions such as downloading your DNA data, changing your password, changing your email address or accessing payment information. Our customers' exposure is minimized by these additional controls."

TransferWise, a money wire service that allows users to log in through Facebook, said its investigation was underway but that it had "no indication" that its customers had been affected.

The company said that in order for any money to be transferred users are asked to verify their identity through a second step that does not involve Facebook.

Mississippi Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 67649

Reported Deaths: 1912
CountyConfirmedDeaths
Hinds5613118
DeSoto365831
Harrison252036
Madison242266
Rankin228334
Jackson227642
Jones189958
Forrest180656
Washington166341
Lee146241
Lauderdale141292
Neshoba128692
Lamar122014
Oktibbeha112239
Bolivar111334
Warren109333
Lowndes107737
Panola105913
Sunflower103925
Scott100320
Lafayette97316
Copiah95428
Pike93636
Leflore93363
Holmes89248
Grenada84721
Yazoo83112
Pontotoc8278
Lincoln81741
Monroe79655
Simpson79630
Leake78825
Wayne76721
Coahoma76013
Tate73429
Marshall6959
Marion67720
Union63616
Adams62325
Winston62016
Covington61213
George5815
Pearl River55039
Newton54211
Tallahatchie53110
Attala52225
Walthall50220
Chickasaw46219
Noxubee45711
Alcorn4285
Calhoun4189
Tishomingo4175
Prentiss41210
Claiborne40713
Smith40513
Clay39614
Hancock39014
Jasper3869
Tippah36613
Itawamba35910
Tunica3377
Clarke32726
Montgomery3265
Lawrence3238
Yalobusha31510
Humphreys29311
Quitman2691
Carroll26111
Greene25012
Perry2367
Webster23412
Kemper23314
Amite2326
Jefferson Davis2316
Wilkinson21213
Stone1995
Sharkey1975
Jefferson1967
Benton1441
Choctaw1344
Franklin1272
Issaquena261
Unassigned00

Alabama Coronavirus Cases

Confirmed Cases: 99390

Reported Deaths: 1733
CountyConfirmedDeaths
Jefferson13109243
Mobile9947207
Montgomery6835148
Madison537834
Tuscaloosa421373
Unassigned359961
Baldwin354425
Shelby328335
Marshall316736
Lee267845
Morgan239318
Etowah212131
DeKalb181913
Calhoun178414
Elmore172338
Walker152664
Houston139812
Russell13682
St. Clair133817
Limestone133313
Dallas132323
Franklin127420
Cullman122512
Colbert118113
Autauga116921
Lauderdale116719
Escambia108217
Talladega102614
Jackson9894
Tallapoosa85579
Chambers84138
Dale83424
Blount8004
Chilton7926
Butler76436
Coffee7616
Covington73520
Pike7097
Clarke6629
Barbour5755
Marion57424
Lowndes57224
Marengo55215
Hale47626
Bullock46411
Winston45311
Perry4424
Bibb4385
Wilcox42910
Monroe4214
Randolph40110
Pickens4009
Conecuh39310
Washington39112
Sumter36018
Lawrence3491
Macon33514
Crenshaw3185
Choctaw28312
Cherokee2737
Henry2633
Geneva2611
Clay2585
Greene25111
Lamar2222
Fayette2075
Cleburne1271
Coosa1012
Out of AL00
Tupelo
83° wxIcon
Hi: 98° Lo: 75°
Feels Like: 89°
Columbus
Clear
77° wxIcon
Hi: 96° Lo: 74°
Feels Like: 78°
Oxford
Clear
75° wxIcon
Hi: 94° Lo: 73°
Feels Like: 75°
Starkville
77° wxIcon
Hi: 94° Lo: 71°
Feels Like: 78°
WTVA Radar
WTVA Temperatures
WTVA Severe Weather