I've messed briefly with oauth2 in the past but the idea always seemed a bit risky, especially since the project I was working on some code for didn't really need it. I guess they just thought is was cool.

oauth2 works by "delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account"

From https://noqreport.com/2021/03/08/gab-ceo-andrew-torba-responds-to-hack-it-was-not-a-new-attack/

Social network Gab was down today following what they believed was a new attack. It was revealed that this was a continuation of an old attack that took place last week as OAuth2 tokens were reused to get into several accounts. The site was immediately shut down but is now back online.

CEO Andrew Torba posted an update explaining what happened and why there is no need for users to reset their passwords.

The attacker who stole data from Gab harvested OAuth2 bearer tokens during their initial attack. Though their ability to harvest new tokens was patched, we did not clear all tokens related to the original attack. By reusing these old tokens, the attacker was able to post 177 statuses in an 8-minute period today. We have not independently verified the information that the hacker posted is authentic.

Gab immediately took the site offline, suspecting this was a new attack. We have been able to confirm it was not a new attack, have cleared all compromised tokens, and are requiring users to log in again. As this is not a new attack and no new data has been compromised, there is no need to change your password or take any other action.

We apologize for the inconvenience, and are very confident this will not happen again.
--
Posted on novaBBS
www.novabbs.com