Facebook has received ample blame for the historic data breach that allowed hackers to not only take over the accounts of at least 50 million users but also access third-party websites those users logged into with Facebook. But what makes it so much worse is that fixing the issue is, in many ways, out of Facebook's hands.

Some of the web’s most popular sites have not implemented basic security precautions that would have limited the fallout of the Facebook hack, according to a recent research paper out of the University of Illinois at Chicago. If they had taken more care with their implementation of Facebook's Single Sign-On feature—which lets you use your Facebook account to access other sites and services, rather than creating a unique password for every site—the impact could have largely been limited to Facebook. Instead, hackers could potentially have accessed everything from people’s private messages on Tinder to their passport information on Expedia, all without leaving a trace. Even more staggering: You could be at risk even if you've never used Facebook to log into a third-party site.

Master Key

In a paper published in August, computer scientist Jason Polakis and his colleagues analyzed the many ways that hackers could abuse Facebook’s Single Sign-On tool. Facebook's not alone in offering the feature; Google has its own version of it, as do plenty of other so-called identity providers. But Facebook's, Polakis says, is the most widely implemented.

There are valid reasons third-party sites and services let users log in with Facebook. For starters, it’s easy, and saves users the hassle of creating yet another password. And, in theory at least, it makes logging in more secure. “Being able to set up a secure infrastructure, handle user input, have encrypted connections, and use up-to-date security mechanisms is pretty hard,” Polakis says. “So instead of relying on thousands of smaller websites, you rely on one that has better security practices.”

Of course, those benefits come with obvious associated risks. If someone compromises Single Sign-On—Facebook's, Google's, or anyone's—the possible impact is widely dispersed. The researchers tried to determine the full extent of the potential damage of a stolen account. What data could an attacker then scrape? How would users know they’d been hacked? And what, if anything, could victims do about it? At the time, the findings were unnerving. Now they seem eerily prescient.

You could be at risk even if you've never used Facebook to log into a third-party site.

On Friday, Facebook announced that hackers had leveraged three separate bugs to collect 50 million users’ so-called access tokens, which are the equivalent of digital keys to a Facebook account. With those tokens, hackers can take full control of users’ Facebook accounts, but because of Single Sign-On they can also access any other website that those 50 million users log into with Facebook. That's similar, though not identical, to the scenario Polakis and his colleagues studied. In that case, researchers were able to hijack cookies on a given user's device using a now-patched flaw in the iOS Facebook app. But, Polakis says, once an attacker has control of someone's Facebook account, their access to third parties would be largely the same.

After Facebook discovered the breach, it reset the access tokens for all 50 million affected users, and another 40 million who may have been impacted. "We're still doing the investigation [to see] if these attackers did get access to those third-party apps,” Facebook spokesperson Katy Dormer tells WIRED.

Limited Protections

There are ways that third-party companies can and should protect their users in case Single Sign-On is breached. The problem, Polakis says, is that few of them do.

For instance, websites that use Single Sign-On can either automatically log you in if you're already logged into Facebook elsewhere in your browser, or they can require you to enter your Facebook password every single time you log in. The second scenario is more secure, because hackers would need more than just the user’s access token to get into third-party sites. They’d need passwords, too.