What we still don’t know about the Facebook breach

It’s been three days since Facebook reported that hackers obtained access tokens for 50 million user accounts, in what is believed to be the largest such data breach in its history. Here’s what we’ve learned since then — and what we haven’t.

One, the breach may have affected other third-party services that use the Facebook Connect identity platform. Several large internet services rely heavily on Facebook logins, including Spotify, Airbnb, and Tinder. Anyone who had full access to a user’s account would have been able to log into those services as well, possibly undetected. Notably, none of these Facebook Connect customers have had much to say about the effect of the breach on their own services, likely because they are still investigating. Tinder was the exception, saying Facebook had shared only limited information and calling on it to share more.

The third-party developer situation set off a secondary debate about the wisdom of using Facebook login. On the pro side, Facebook login offers enhanced security measures such as “risk-based logins” — challenging users to provide additional information if it suspects a password has been stolen. On the con side, Facebook’s dominance has created something resembling to a single point of failure for online security.

Two, the legal consequences of the breach are becoming apparent. A class-action lawsuit was filed with terrifying speed. And while Facebook appears to have disclosed the breach within the 72 hours required by the General Data Protection Regulation, the European Union privacy watchdog could still fine Facebook up to $1.63 billion, Sam Schechner reported in the Wall Street Journal. Separately, the Irish Data Protection Commission said Monday that less than 10 percent of the breach’s victims live in the European Union. (Le Monde says it’s fewer than 5 million.

)