Facebook does not believe hackers have accessed third-party sites

Facebook says it has found no evidence “so far” of its attackers accessing third-party sites through Facebook Login.

It’s good news about the massive data breach the company first disclosed last week. Attackers accessed 50 million Facebook accounts in the largest breach ever.

“We have now reviewed the logs of all third-party apps installed or registered in the attack we uncovered last week. That investigation has so far not found that the attackers accessed any apps using Facebook Login.” Facebook’s Guy Rosen said in a statement.

on friday Facebook (FB) reported that unknown attackers exploited a vulnerability to gain access to accounts. They were able to view other people’s Facebook profiles as if they owned the accounts. For example, they can see friends’ profiles and updates.

Facebook says it closed the loophole Thursday night, but 90 million users were forcibly logged out of their accounts as a precaution.

The attackers stole Facebook “access tokens,” which keep a person logged into their Facebook account for a long period of time. Facebook has reset all 50 million tokens, as well as the tokens of another 40 million people who used the “see as” feature as a precautionary measure over the past year.

On a call about the hack last week, Rosen said attackers could also access third-party sites using Facebook Login, but the company found no evidence they were doing so.

Hundreds of sites and apps, including Tinder, Spotify and Airbnb, use Facebook Login, which allows people to access services with their Facebook username and password. Earlier this week, developers were confused about whether their services were exposed in the Facebook hack.

The company says partners who follow Facebook’s “best practices” were automatically protected. Some developers may not follow these rules and may put users at risk.

“We are sorry that this attack happened, and we will continue to update people as we learn more,” Rosen said.

— CNN’s Donie O’Sullivan contributed reporting.

CNNMoney (San Francisco) First published on October 2, 2018: 7:13 pm ET