Facebook Hack Puts Thousands of Other Sites at Risk

SAN FRANCISCO — When Mark Zuckerberg introduced an online tool called Facebook Connect in 2008, he hailed it as a kind of digital passport to the rest of the internet. In just a few clicks, users would be able to log in to other apps and sites with their Facebook passwords.

The tool was adopted by thousands of other firms, from mom-and-pop publishing companies to high-profile tech outfits like Airbnb and Uber.

Now those outfits could have been exposed to the consequences of an attack on Facebook’s computer systems. On Friday, the company said the account entry keys of at least 50 million Facebook users had been stolen in the largest hack in the company’s 14-year history.

But the impact could be significantly bigger since those stolen credentials could have been used to gain access to so many other sites. Companies that allow customers to log in with Facebook Connect are scrambling to figure out whether their own user accounts have been compromised.

The hack and its fallout underscore the lengths to which Facebook has cemented itself as the identity of the internet, and what happens when the security systems of one company — trusted by so many — fail.

“Just the sheer fact that this exists will magnify the scale of any hack,” said Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago.

In Europe, where tough new data privacy regulations went into effect in May, the authorities are preparing an investigation of the Facebook breach. Ireland’s Data Protection Commission, which is responsible for overseeing Facebook in the region, said it was gathering information and establishing the scope of its inquiry.

Tinder, the dating app, has found no evidence that accounts have been breached, based on the “limited information Facebook has provided,” Justine Sacco, a spokeswoman for Tinder and its parent company, the Match Group, said in a statement. Tinder, as well as other Match Group apps, rely on Facebook Connect as a method of logging in.

Ms. Sacco added that Facebook could do more to help by providing a specific list of users hit by the attack.

Over the past decade, Facebook has sold outside companies on Facebook Connect with a simple proposition: Connect to our platform, and we’ll make it faster and easier for people to use your apps.

The Connect tool was about achieving ubiquity. Users would be more apt to sign up for new apps and sites if doing so was easier, Facebook argued. It also brought an added measure of security, since users wouldn’t need to create and remember new passwords every time they signed up for a new app.

But in July 2017, that measure of security fell short. By exploiting three software bugs, attackers forged “access tokens,” digital keys used to gain entry to a user’s account. From there, the hackers were able to do anything users could do on their own Facebook accounts, including logging in to third-party apps.

In a blog post on Tuesday evening, Facebook said a continuing investigation of the close to 50 million accounts that were compromised “has so far found no evidence that the attackers accessed any apps using Facebook Login.”

But there are still questions about an additional 40 million Facebook accounts that may have been affected. Facebook forced those 40 million users to log out and reauthenticate their credentials. It was unclear whether these accounts used Facebook to connect to outside apps.

Citing “an abundance of caution,” Facebook said it was building a tool to help outside developers identify users who were affected in the hack by pinpointing potentially compromised accounts on their services.

In a conference call with reporters on Friday, Facebook said it had not assessed the scope of the breach, nor did the company discover who was responsible for the attack.

The Facebook breach is reminiscent of a catastrophic attack on Yahoo that was disclosed in 2016. Yahoo said attackers had gotten access to the company’s code and used it to forge 32 million access tokens like those stolen from Facebook.

Hackers often target large databases of credentials, which can provide access to other accounts if users created the same password for multiple sites or have logged in to third-party accounts with their Facebook account.

Since Friday, Facebook has held calls with developers at other companies to explain steps they can take to assess the damage at their own organizations.

The security team at Uber, the ride-hailing giant, is logging some users out of their accounts to be cautious, said Melanie Ensign, a spokeswoman for Uber. It is asking them to log back in — a preventive measure that would invalidate older, stolen access tokens.

Uber has reviewed its login data from the past year and hasn’t found any indications that Facebook credentials were used improperly.

“But we still have to go through the investigation,” Ms. Ensign said. “For those that are most at risk, we have logged them out, so they’ll have to log back in to the account.”

Facebook faces fallout from regulators both at home and abroad. On Friday, Senators Mark Warner of Virginia and Richard Blumenthal of Connecticut, both Democrats, used the occasion to renew their calls for legislation reining in large tech companies.

The European Union’s probe will be an early test of its new data-protection law, the General Data Protection Regulation. The law allows Facebook to be fined up to 4 percent of its global revenue, though many consider such an outcome unlikely.

“G.D.P.R. was designed to address the big tech giants, who are enormous, have huge resources and do very complicated things with personal data,” said James Castro-Edwards, the head of the data-protection practice at the London law firm Wedlake Bell. “This is the sort of battle that G.D.P.R. was drafted to be used in.”

As Facebook’s power has grown, some outside companies have become wary of relying on it too much.

While Tinder originally relied exclusively on the Facebook login for several years, the dating company last year introduced a way for people to create new accounts without using Facebook. Since then, fewer than 25 percent of new users sign up for Tinder using Facebook Connect.

Similarly, Netflix stopped allowing users to connect using their Facebook accounts three years ago, and new customers must create user names and passwords when they sign up.

But for the thousands of other companies that rely on Facebook to serve customers, it is unclear whether or not they will know the extent of the damage.

“So many websites support Facebook login, and it was vulnerable for so long that it’s hard to give an idea of the scope of this attack,” Mr. Polakis said.