Facebook has been hacked again.

Although, this time is a little different.

Last week, nearly 50 million user accounts were compromised in a high-security breach. The attack gave hackers the ability to take over accounts in what is believed to be the biggest security breach in Facebook’s history.

On Friday, the social media company revealed a vulnerability that allowed hackers to steal automated log-in credentials, reports The Guardian.

These log-in credentials are called tokens, and they allow you to use Facebook to log into other apps like Spotify, Pinterest or Yelp. You’ve all seen the “Sign up using Facebook” option that frees you from the time-consuming process of creating a new account.

While the scope of the attack has not been confirmed, researchers say that the implications of the breach could extend far beyond Facebook’s borders:

Simply put, a token is a unique string of letters and numbers that can be used to automatically log you in to other apps and websites, so you don’t have to keep entering your password.

Unfortunately, from a security standpoint, using Facebook or any other social media app to log into other services is not a smart thing to do, says Dana Simberkoff, chief risk, privacy, and information security officer for enterprise security firm Avepoint.

“It’s easy and convenient, but when when you use shortcuts there can be consequences,” she says. “You should not use one app to log into another, because when one of those systems is compromised, everything else you interact with can be as well.”

Well, that’s precisely what happened. Due to multiple bugs in Facebook’s ‘View As’ and ‘Video’ posting features, user tokens were exposed to hackers, who then extracted them:

Once an attacker discovered how to steal one person’s token, it would be a simple matter of automating the process to compromise millions of Facebook accounts, as well as any third-party accounts (like Spotify or Pinterest) that rely on those Facebook tokens.

In response, Facebook disabled the buggy features on its site, changed the tokens for 90 million users, and logged them out. When users log back in, a new token is generated. While that may stop future attackers from stealing their login credentials, it may not do much to mitigate any compromises that have already occurred.

To put it differently, if your account(s) has been compromised then the hacker could still be in there, regardless of Facebook’s efforts to disable the bugs. Here’s the really scary part:

“On many websites, we found that attackers could reset the account’s email and then set a password without knowing the account’s actual password. So even if single sign-on no longer works and the attacker no longer has access to that Facebook account, they could still maintain access to the third-party account.”

When testing this attack scenario, Polakis and his fellow researchers accessed accounts on 29 of the web’s most popular sites and were still able to log into 22 of them, even after losing access to the Facebook accounts.

To make things worse, if you have used Facebook to sign in to a website, the hacker could essentially use your credentials to log in as you, if you use the same email for both accounts.

The final nail in the coffin – even if you’ve never used Facebook to log into a website, your details could be used to create an account in your name. The moment you log in, the hacker will be able to steal your private information.

So, what now? Change your passwords – there’s no guarantee that it will help, but it’s worth a try. You should also disable permissions that might be set by default. Turn on two-step authentication (the message that gets sent to your phone with a pin that you enter to gain access), and also disable auto-logins for apps like Twitter.

To put it simply, this is becoming a problem, so best not to sacrifice security for convenience.

[source:guardian]