Social media sites are increasingly the focus of our digital lives. Not only do we share, interact and post on platforms like Facebook—we also use these sites to quickly log into our favorite apps and websites. But what happens when these social media gatekeepers are hacked? Awhile back, Facebook suffered a major attack when hackers obtained the digital keys to access at least 30 million accounts (originally thought to be 50 million), exposing highly sensitive personal details.
The attack not only gave the bad guys access to the Facebook accounts but raised the prospect of them also being able to access any linked apps or websites. The message is clear: it may be time to store log-ins for these third-party accounts in a password manager, rather than a frequently targeted social media company.
What happened, exactly?
As a Facebook user, you’re probably well-aware of the ease-of-use benefit of logging-in to your third-party website and application accounts using your Facebook credentials. Known as Facebook Connect, this is what’s called a “Single Sign-On” feature: a fast, simple, and straightforward way to log in to your various accounts, so you don’t have to remember multiple different passwords for different sites and apps.
Convenient, eh? But here’s the problem. At the end of September (in 2018), Facebook discovered a major security issue: attackers managed to steal the crucial access tokens which act as “digital keys” to keep you logged into the site without having to re-enter your password each time you use Facebook. These keys also provide access to all those third-party applications and websites you log-in to via Facebook: everything from Airbnb and Amazon to Tinder and your favorite news apps. Since there’s a chance that the bad guys were also able to illegally access these, they may have been able to gather more of your sensitive info across these accounts to commit identity theft—and thereby gain access to your credit cards as well.
How did the hackers grab these all-important access tokens? By exploiting several bugs in Facebook’s “View As” and video posting features. (View As is a feature that allows users to see what their own profile looks like to someone else). They ultimately stole access tokens for 30 million users; accessed just name and contact details for 15 million; virtually all profile info including name, contact details, username, gender, language, relationship status, religion, etc. for 14 million; and no info at all for 1 million.
Facebook has been quick to point out that there are currently no signs the attackers did access any of third-party apps using Facebook SSO. However, that may change. It also doesn’t alter the fact that a similar incident like this, or worse, could happen in the future. Social media and web providers like Facebook are a major target for attackers, while human error will inevitably lead to some security mistakes in the future. A bug in Google’s code recently exposed the data of 500,000 users of its Google+ social platform, which has prompted their decision to shut down the consumer side of the site within the next 10 months (as of October 2018).
How can I stay safe?
Facebook has fixed the bugs in question and reset the access tokens of those affected by this leak, which should help to stop future attacks. However, if your account was illegally accessed in the attack, there are a few steps you should take:
- Visit this link to get a yes or no answer on whether you were affected.
- Be on the lookout for scams: Fraudsters may call, email or send you messages using the info they’ve obtained from the leak.
- Beware of phishing emails: scammers might try to capitalize on the notoriety of the incident to get you to part with sensitive info, by sending emails pretending to come from Facebook. Here’s how to confirm if they’re real or not.
- You may need to call your bank: if you were in the second group of 14m users, the hackers may have enough personal info on you to answer security questions to access your accounts. Consider adding further layers of security.
Take preventative steps
After the above, consider the following options to keep all your accounts secure going forward:
- Disable Facebook SSO. Go to your Facebook settings and remove all apps under Active Apps and Websites. Then under Apps, Websites and Games go to Preferences and click on Edit then Turn Off.
- Switch on two-factor authentication: this will add an extra layer of security to your Facebook log-in. Visit Facebook’s Settings> Security and login> Setting up extra security> Use two-factor authentication.
- Consider Facebook’s app password generator: If you wish to maintain app and website connections, this function lets you generate unique passwords for your linked apps and websites, instead of using the Facebook SSO password. However, these passwords can’t be stored in a password manager, and if you log out of the app, you’ll have to generate a fresh password.
- Better yet, invest in a password manager to securely generate and store strong and unique passwords for each of your Facebook linked apps and websites.
Will it affect my use of Facebook?
If you disable Facebook SSO there may be some loss of sharing functionality. For example, you might find that you can’t post/share articles from within news apps direct to Facebook, and instead have to cut and paste the link manually. It will depend, however, on the apps you’re using. At the end of the day, you need to decide what’s more important to you: tighter integration between apps/websites and Facebook, or keeping your passwords in a separate, secure place away from the social media company.
How can Trend Micro help?
Trend Micro Password Manager can help you to protect the privacy and security of your app and website account passwords across PCs and Macs, and Android and iOS mobile devices. Use it as a highly user-friendly but more-secure alternative to Facebook SSO. Trend Micro Password Manager
- Generates highly secure, unique, and tough-to-hack passwords for each of your online accounts.
- Securely stores and replays these credentials for log-ins, so you don’t have to remember them.
- Offers an easy way to change passwords, if any do end up being leaked or stolen.
- Makes it quick and easy to manage your passwords from any location, on any device and browser.
- Works across both apps and websites, with particular benefit for apps you use in conjunction with Facebook on your mobile devices.