There's oversharing on Facebook and then there's oversharing on Facebook. Last week the ubiquitous social media platform announced that it had experienced a security breach exposing the accounts of up to 50 million users. If Facebook knows the identity of the hackers, it isn't talking. But details surrounding the attack itself have already started to emerge early in the investigation.

A vulnerability in the “View As” function, a privacy feature that allows users to see how their profiles appear to other denizens of Facebook, enabled hackers to steal “access tokens” to gain entry to people's accounts. If users signed onto other sites using the “Login with Facebook” function, those accounts could be compromised, too.

Access tokens are like an all-access pass to the VIP event that is your account. They get you through the front door and provide entry to the other doors therein. Matt Cullina, CEO of CyberScout, a company that provides breach services and data risk management solutions, said that for hackers, access tokens are about as valuable as it gets.

“I think it's a newer trend, and again, it's getting the keys to the castle. This is what it's all about for a hacker. You want to go right to the source. You don't want to have to go through one door to get to another doorway and another and another.”

But Jennifer Beckage, founder of the Beckage firm and a lawyer with experience in breach response, data security and information privacy, doesn't think that the access token breach like the one that occurred at Facebook is any more of a threat to the legal industry than other kinds of intrusions.

“Speaking generally, breaches really take so many different shapes and sizes and it doesn't seem like there's any two that are really the same,” Beckage said.

Still, Rebecca Rakoski, a co-founder and partner at XPAN Law Group in Philadelphia who specializes in international data privacy, cybersecurity and cross-border data management, said that the risk to firms is heightened by the ethical obligations to protect information under attorney-client privilege.

“You have to look at what you're doing and how you're securing it and weigh that against what is the probability a hacker would want access to that information,” Rakoski said.

Systems with single-sign-on access (such as “Login with Facebook”) favor ease and speed, while a multifactor authentication process requires the user to overcome several identity challenges, sometimes across multiple devices.

Though many lawyers are unlikely to sign on to their law firm systems via Facebook, they may interact with clients through services such as Dropbox that do provide single-on-sign functions.

I think you have to look at first whether or not you're concerned about clients accessing documents,” Rakoski said. “For example, if you put client documents in Dropbox or some sort of interface where the client is going to be accessing documents, certainly there you balance the client's ability to access them against the authentication that's required to access them.”

Beckage advises organizations to perform a risk analysis that evaluates the sensitivity of the information they have stored, the security tools at their disposal and how those tools are being used.

“Companies are doing their best to be ahead of this constantly moving target while still trying to do business, trying to keep up with an ever-changing legal landscape of data security and privacy laws. There's a lot of moving parts to this,” she said.