Facebook hackers got access to your Tinder, Spotify, Instagram, Messenger and Airbnb too

FACEBOOK'S latest hack attack doesn't just affect the social network – but loads of other sites too.

If you use Facebook to log into other services – like Instagram or Tinder – then Facebook hack attackers may have stolen all of your profile info, photos, private messages and more.

On Friday evening, Facebook revealed that hackers were given access to 50million accounts.

This let them use your Facebook account "as if they were the account holder" – a shocking security gaffe.

But because of the way the hack worked, it also gave attackers the same level of access to any accounts you use Facebook to log in with.

So if you tied your Facebook to Messenger, Instagram, Spotify, Tinder and Airbnb, hackers will have been able to slip into those accounts too.

It's all thanks to a major screw-up in Facebook's website code.

When you log into websites like Facebook, you get given an access token.

Access codes are like digital keys that remind the website – and other linked services – that you're logged in.

That's why when you close the Facebook tab and open it up again later, you're still logged in.

If you have an access token, you don't need to enter your username and password – because it means you're already logged into the website.

But last June, Facebook added a new video uploader tool that introduced a major bug.

The bug allowed hackers to generate access tokens for absolutely anyone on the website.

Unsurprisingly, hackers used this bug to create access tokens for 50million users across the site.

Importantly, if you log into other services with Facebook, this access token would treat you as being logged into those services too.

So it doesn't matter how strong your password was, or whether two-factor authentication meant you need to receive a text or email code to log in.

The hack allowed attackers to convince these websites that they were already logged in – sneaking onto your account under the radar.

The only way to actually avoid being caught up in this hack was to (1) not have a Facebook account, or (2) get lucky, and not be targeted by the hackers.

They were also given complete access (as if they were you, effectively), and so could have accessed any part of your accounts.

"Because this issue impacted access tokens, it's worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications," said Tim Mackey, senior technical evangelist at Synopsys.

"If you've ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they've granted access rights to within Facebook."

The big fear is that hackers will have used automatic tools to harvest information from all 50million accounts that were compromised.

This means it's possible that hackers are currently sitting on photos, videos, and private messages for tens of millions of people around the world.

This data pool grows significantly when you add services like Tinder or Instagram into the mix.

And even if you weren't hacked yourself, messages you sent to people who were hacked may still be caught up in the hack.

This significantly increases the risk of identity fraud, blackmail, and even lost relationships.

If you've ever sent racy photos, made mean comments, or moaned about an employer on your Facebook – or in private messages – hackers may be ready and waiting to release this information right now.

Hackers could also use the information they stole to defraud you, potentially gaining access to your bank accounts or other important services.

"Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over," said Sam Curry, chief security officer at Cybereason.

"Today, consumers are reminded again to watch their identities and credit for abuse.

"As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts."

If you were hacked, you'll have been logged out and received this notification.

If this is the final straw for you, follow our guide on how to delete Facebook permanently.

And it might disappoint you to find out Facebook faces a maximum fine of just £1.25billion – less than 3% of billionaire CEO Mark Zuckerberg's net worth.

A Spotify spokesperson told The Sun that although Facebook's systems allowed access to Spotify accounts, Spotify's own systems weren't directly breached.

"Spotify has not experienced a security breach," they said.

"However we recognise that many users repurpose login information across various platforms. As a precaution, anyone with concerns can update their Spotify password, or contact customer service who can assist."

What do you think should happen to Facebook after this hack? Let us know in the comments!

We pay for your stories! Do you have a story for The Sun Online news team? Email us at tips@the-sun.co.uk or call 0207 782 4368 . We pay for videos too. Click here to upload yours.