Facebook, third-party apps and regulators are struggling to explain the specifics of a major security breach that allowed hackers to access 50 million accounts—one week after it was initially discovered.
Hackers stole access tokens that allowed them to exploit a privacy feature called “View As”—which lets users see what their profiles look like when seen by certain friends or members of the general public.
Facebook said that it has taken steps to address the issue—forcing almost 50 million users to log back into their account in order to protect their security; temporarily turning off the “View As” feature during their investigation; and notifying law enforcement officials.
The company additionally reset the access tokens of another 40 million users as a precautionary measure—meaning that 90 million people were forced to log back into the social platform.
Countless numbers of the tech giant’s 2.2 billion active monthly users use Facebook to log into to a wide range of third-party apps, including Tinder, Spotify, Airbnb and Pinterest—and the company has said that the breach could have allowed hackers to access those other apps as well.
“Now that we have reset all of those access tokens as part of protecting the security of people’s accounts, developers who used Facebook login will be able to detect that those access tokens have been reset, identify those users, and as a user, you will simply have to login again into those third-party apps,” Guy Rosen, Facebook’s vice president of product management, told reporters on a Friday conference call.
However, it may not be quite that simple.
Tinder told CNN it has done “a full forensic investigation” since Facebook’s “limited” disclosure and has found “no evidence to suggest accounts have been accessed.”
The dating app continued: “We will continue to investigate and be vigilant—as we always are—and if Facebook would be transparent and share the affected user lists, it would be very helpful in our investigation.”
A spokesman for Spotify told the Sun that even though Facebook’s systems allowed access to Spotify accounts, the music app itself has not experienced a security breach.
Pinterest, which also lets users log in using Facebook, told CNN that it was working with Facebook to determine if any users were impacted by the hack.
The security breach, which comes on the heels on of the Cambridge Analytica data privacy scandal that impacted 87 million users, is already drawing enhanced scrutiny from U.S. lawmakers.
“We’re looking at it, our staff’s been in contact with them and we’ll determine whether or not it’s something we need to have a hearing about,” Senate Commerce Committee Chairman John Thune (R-S.D.) told Axios on Monday night, calling the breach was “pretty serious.”
Experts urge users to change their passwords and, if they used Facebook login for third-party apps, to consider enabling two-factor authentication as a way to add an extra layer of security.
Democratic staffers on the Senate Intelligence Committee are also interested in the breach and have spoken to Facebook about it, a congressional aide told the politics news site.
Facebook tweeted on Monday that the company is working to “confirm the location of those potentially affected” and will provide more information soon.