A sign outside Facebook headquarters. Photo: Justin Sullivan/Getty Images
Facebook said Tuesday night that an investigation had unearthed "no evidence" that stolen keys to 50 million accounts were used to access third-party applications that let users log in with their Facebook credentials.
Why it matters: 50 million Facebook accounts is already a significant breach, but if Facebook's findings are correct, it means that the stolen "access tokens" weren't used to access even more services, which the company said Friday was possible. Services like Tinder, Spotify and Airbnb are among the thousands that offer Facebook's login tool to users.
What they're saying: "Any developers using Facebook Login security best practices were automatically protected when we reset people's access tokens," said Vice President of Product Management Guy Rosen in a statement. "Given that some developers will not have done this, we analyzed third party access during the time of the attack we have identified. That investigation has found no evidence that the attackers accessed any apps using Facebook Login."
Between the lines: There is a difference between having "accessed" an app and still having had the token to do so. This statement appears to concern the former.
Go deeper: Third-party apps are among those scrambling for answers a week after the breach was discovered.