Microsoft Claims Azure Active Directory B2C Not Affected by Facebook Hack

Microsoft indicated on Thursday that its Azure Active Directory B2C service wasn't affected by the Facebook hack last month that potentially exposed the access tokens of about 50 million Facebook users.

The breach was the largest one yet for Facebook and it occurred due to three software flaws, according to a September 28 explanation by Guy Rosen, vice president of product management at Facebook. Those flaws made it possible for user access tokens to get stolen using the Facebook "View as" feature, which was supposed to just display how a person's profile looked to others. With stolen access tokens, it's possible to take over accounts. The tokens are used to keep users signed into the Facebook service.

The Facebook social media service can be used as an "identity provider" with Azure AD B2C, which is Microsoft's identity service for connecting businesses with consumers. It's been possible to use a Facebook ID (along with IDs from Amazon, Google and LinkedIn) with the service ever since Microsoft launched Azure AD B2C in 2016. More recently, Microsoft added GitHub and Twitter as accepted identity providers that can be used with the service.

While the Facebook hack exposed the access tokens of Facebook users, the breach didn't affect users of the Azure AD B2C service, Microsoft contended, even if Facebook served as the identity provider. The Azure AD B2C service doesn't use those Facebook tokens directly. Instead, it uses an authorization code that's sent from the user's browser, Microsoft explained, in its announcement.

Here's how the announcement expressed it:

Since B2C does not accept access tokens from the end user, the exploit that Facebook has described does not apply -- even if an attacker presented B2C with the access token of another Facebook user, B2C is not configured to accept it to authenticate the user.

Facebook acted about two days after detecting the breach to address the issue, according to Rosen, in a video in Facebook's announcement. The software flaws were fixed, the tokens were reset and Facebook temporarily turned off the View As feature, according to the company. All Facebook users (90 million accounts) will be compelled to sign back into their accounts as a precaution.  

Rosen stated that "there's no need for anyone to change their [Facebook] passwords." However, the U.S. Federal Trade Commission, in a consumer advisory on the matter, recommending doing it anyway.

In an October 2 announcement, Rosen said that analysis by Facebook had showed that no "third-party apps" had been accessed using Facebook logins as a consequence of the breach.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Uniting OneDrive and SharePoint Admin Portals Next Month

    Microsoft is converging its OneDrive and SharePoint Admin Center management portals, with a consolidated portal expected to arrive for Microsoft 365 subscribers "through February."

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

comments powered by Disqus