Justin Sullivan/Getty Images
- Some of the people potentially impacted by Facebooks latest massive security breach are the earliest business customers of its corporate chat app Workplace, according to emails viewed by Business Insider.
- Most Workplace users are not impacted because Workplace logins are different than those used for consumer Facebook accounts.
- But Facebook failed to remove a feature that let beta Workplace users link to corporate accounts and those people are being warned of the risk.
- Facebook touts its commitment to security as one of the main features for this product, and this is not a good look, one concerned Workplace user told Business Insider.
Buried within Facebook's admission of the massive cyber attack affecting 50 million people was a surprising and worrisome nugget for some its business customers: a few of Facebook's Workplace corporate customers could also have been impacted.
Workplace is Facebook's competitor to workplace collaboration tool Slack. It's used by more than 30,000 businesses as of a year ago, the last time Facebook released statistics on the product.
The good news is that most of those Facebook Workplace customers are not impacted by the hack. However, Facebook's earliest customers could have been and Facebook is reaching out to those at risk to warn them, according to an email sent by Facebook to a Workplace customer seen by Business Insider.
To recap: Facebook's revealed last week that hackers had managed to gain control of tens of thousands of its "access tokens," the bit of software that allows you to get onto Facebook without having to enter your user name and password each time. This token is also used whenever you sign in to another app using your Facebook credentials, for example Tinder or Spotify. Control of the token gives hackers full access to your Facebook account, as well as to any apps that use Facebook's login.
When it comes to Workplace customers, only those that signed up before June 2016, when the product was still in beta, are at risk. Facebook officially launched the product in October 2016.
In the beta product, Facebook allowed employees to link their Workplace account with their personal account. And that would have put them at risk for this hack. "The stolen token would let you read the files and posts in the community -- the equivalent of reading work email," a concerned user of Facebook Workplace told Business Insider.
Some big companies could be a risk
Facebook removed that linking feature when it formally rolled out the Workplace. "There may not be that many people in that bucket, but there were some pretty large companies using it early," that person said.
For instance, back in 2015, Facebook announced that the Royal Bank of Scotland had signed up to use the Workplace service, intending to roll it out to 100,000 employees. And when Facebook launched the Workplace product in 2016, it said it already had about 1,000 customers using it.
A Facebook spokesperson sent Business Insider the following statement: "Workplace is set up differently than Facebook. A very early feature of Workplace, enabled during its beta stage, allowed users to link their Workplace and Facebook accounts. A very small percentage of customer accounts are still linked, but once the vulnerability was fixed on Facebook, (when people were logged out and asked to log back in) the vulnerability was fixed for Workplace. Right now there is no evidence to suggest that any Workplace customers have been impacted, but we are investigating and reaching out to customers directly to keep them informed."Still, it's not clear why some early users' accounts were still linked when Facebook abolished that feature.
The user told us:"It is quite surprising that Facebook has touted that personal and work accounts are (since June 2016) separate -- but they didn't delete the link for pre-June 2016 accounts."
A security breach is the nightmare scenario for IT professionals and Facebook knows it. "Security" is literally one of Facebook's selling points for the product, promising businesses on its promotional materials for Workplace that Facebook is "serious about security. We're proud to exceed the industry standard for protecting your data."
So, in addition to putting 50 million consumer accounts at risk, Facebook also put some of its early paying customers at risk. This is another bit of ammo for the people who say that Facebook can't be trusted with the anyone's data.