How to Protect Yourself After a Recent Facebook Hack
It’s safe to say that this recent Facebook access token hack is a complete mess – much more than a simple inconvenience that could make you log back into your Facebook account on your devices. And while the company is still looking into the details and working to help developers mitigate the impact of the attack, there are three things you can do to regain a little more control over your digital life.
First, let’s turn to the latest Facebook hack analysis:
Facebook is dodging the big bullet, maybe
Facebook paints a rosy picture of the impact of the attack in its latest blog post . He “found no evidence that attackers gained access to any applications by logging into Facebook,” and “is creating a tool that allows developers to manually identify users of their applications that may have been impacted so they can log out.”
This is certainly nicer to hear than the doom and gloom that has emanated from security researchers over the past few days, who (rightly) foresaw a rather far-reaching account security collapse as a result of the Facebook hack. Jason Polakis, assistant professor of computer science at the University of Illinois at Chicago, listed several potential issues in an extensive (and now highly cited) Twitter thread :
However, there are still many questions about what data was accessed for the 50 million accounts directly affected by the breach. And, as New York Times’ Farhad Manju argues, a serious Facebook security breach should be enough to exclude it from your digital toolbox – no more one-time logins using the service:
“This is a classic situation when you do one job. Like a loyal superintendent on a crawl in Brooklyn, Facebook suggested carrying the keys to every lock on the Internet. The location was convenient – super always right there at the touch of a button. It was also safer than creating and remembering dozens of passwords for different sites. Facebook had a financial and reputational incentive to hire the best security professionals to protect your keys; tons of small sites on the internet don’t – and if they get hacked and if you reuse your passwords elsewhere, you are trapped.
But an extensive hack evaporates these arguments. If the entity that you trusted with your keys loses your keys, you take them somewhere else. And there are many safer and equally convenient ways to log into the Internet. “
I think this is great advice and you can go even further.
How to turn off Facebook single sign-on … and more
First, open your Facebook settings and uninstall all apps under Active Apps and Websites. Yes, every single one. I promise you won’t miss them.
You can even go further. In the Apps, Websites & Games section, under the Settings heading, click Change, and then click Disable. Now, you will no longer be tempted to log into new services using your Facebook account, because that won’t work. TA-dah.
I recommend a third, slightly more extreme measure. Sign up for a Gmail account if you don’t already have one. Then, when you are about to subscribe to a new service, such as Twitter, give that service a modified email address: for example, [email protected]. Google will ignore the plus sign in your email address and everything after it, but a service like Twitter should consider that complete, unique email address.
While you are doing this, switch your Facebook email address to something unique or just anything [email protected]. In theory – and I’m spitting here – this should make it harder for attackers to use access tokens from one service to tamper with your accounts (or accounts to be created) in another if you’ve never configured the latter. with single sign-on, since there will be no common communication between them.
At least I think this should help resolve what Jason Polakis previously tweeted, summarized by The Guardian here:
“It’s getting worse. Even if you’ve never used Facebook login for an app or website, an attacker could use a token to log in on your behalf, provided you use the same email address for both services, Polakis said.
And if you don’t already have an account with these services, attackers can use tokens to create an account in your name, which can sit idle, waiting for you to eventually log in so that they can steal your personal information. “
If you use a tool like LastPass or 1Password to track your accounts, it won’t be difficult to remember which modified email address you used with which service. (Set up two-factor authentication for your password managers too, and pray they never get hit by any crazy security breaches like the one Facebook deals with, or else we’ll all screw up.)