Microsoft Claims Azure Active Directory B2C Not Affected by Facebook Hack

Microsoft indicated on Thursday that its Azure Active Directory B2C service wasn't affected by the Facebook hack last month that potentially exposed the access tokens of about 50 million Facebook users.

The breach was the largest one yet for Facebook and it occurred due to three software flaws, according to a September 28 explanation by Guy Rosen, vice president of product management at Facebook. Those flaws made it possible for user access tokens to get stolen using the Facebook "View as" feature, which was supposed to just display how a person's profile looked to others. With stolen access tokens, it's possible to take over accounts. The tokens are used to keep users signed into the Facebook service.

The Facebook social media service can be used as an "identity provider" with Azure AD B2C, which is Microsoft's identity service for connecting businesses with consumers. It's been possible to use a Facebook ID (along with IDs from Amazon, Google and LinkedIn) with the service ever since Microsoft launched Azure AD B2C in 2016. More recently, Microsoft added GitHub and Twitter as accepted identity providers that can be used with the service.

While the Facebook hack exposed the access tokens of Facebook users, the breach didn't affect users of the Azure AD B2C service, Microsoft contended, even if Facebook served as the identity provider. The Azure AD B2C service doesn't use those Facebook tokens directly. Instead, it uses an authorization code that's sent from the user's browser, Microsoft explained, in its announcement.

Here's how the announcement expressed it:

Since B2C does not accept access tokens from the end user, the exploit that Facebook has described does not apply -- even if an attacker presented B2C with the access token of another Facebook user, B2C is not configured to accept it to authenticate the user.

Facebook acted about two days after detecting the breach to address the issue, according to Rosen, in a video in Facebook's announcement. The software flaws were fixed, the tokens were reset and Facebook temporarily turned off the View As feature, according to the company. All Facebook users (90 million accounts) will be compelled to sign back into their accounts as a precaution.  

Rosen stated that "there's no need for anyone to change their [Facebook] passwords." However, the U.S. Federal Trade Commission, in a consumer advisory on the matter, recommending doing it anyway.

In an October 2 announcement, Rosen said that analysis by Facebook had showed that no "third-party apps" had been accessed using Facebook logins as a consequence of the breach.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • How To Remove the Windows 10 Action Center

    Microsoft meant well with Windows 10's Action Center, but the constant pop-up notifications are often more annoying than helpful. Here's how to get rid of them.

  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.