Social media sites are increasingly the focus of our digital lives. Not only do we share, interact and post on platforms like Facebook —we also use these sites to quickly log into our favorite apps and websites. But what happens when these social media gatekeepers are hacked? Awhile back, Facebook suffered a major attack when hackers obtained the digital keys to access at least 30 million accounts (originally thought to be 50 million), exposing highly sensitive personal details.
The attack not only gave the bad guys access to the Facebook accounts but raised the prospect of them also being able to access any linked apps or websites. The message is clear: it may be time to store log-ins for these third-party accounts in a password manager, rather than a frequently targeted social media company.
What happened, exactly?
As a Facebook user, you’re probably well-aware of the ease-of-use benefit of logging-in to your third-party website and application accounts using your Facebook credentials. Known as Facebook Connect, this is what’s called a “Single Sign-On” feature: a fast, simple, and straightforward way to log in to your various accounts, so you don’t have to remember multiple different passwords for different sites and apps.
Convenient, eh? But here’s the problem. At the end of September (in 2018), Facebook discovered a major security issue: attackers managed to steal the crucial access tokens which act as “digital keys” to keep you logged into the site without having to re-enter your password each time you use Facebook. These keys also provide access to all those third-party applications and websites you log-in to via Facebook: everything from Airbnb and Amazon to Tinder and your favorite news apps. Since there’s a chance that the bad guys were also able to illegally access these, they may have been able to gather more of your sensitive info across these accounts to commit identity theft—and thereby gain access to your credit cards as well.
How did the hackers grab these all-important access tokens? By exploiting several bugs in Facebook’s “View As” and video posting features. (View As is a feature that allows users to see what their own profile looks like to someone else). They ultimately stole access tokens for 30 million users; accessed just name and contact details for 15 million; virtually all profile info including name, contact details, username, gender, language, relationship status, religion, etc. for 14 million; and no info at all for 1 million.
Facebook has been quick to point out that there are currently no signs the attackers did access any of third-party apps using Facebook SSO. However, that may change. It also doesn’t alter the fact that a similar incident like this, or worse, could happen in the future. Social media and web providers like Facebook are a major target for attackers, while human error will inevitably lead to some security mistakes in the future. A bug in Google’s code recently exposed the data of 500,000 users of its Google+ social platform, which has prompted their decision to shut down the consumer side of the site within the next 10 months (as of October 2018).
How can I stay safe?
Facebook has fixed the bugs in question and reset the access tokens of those affected by this breach, which should help to stop future attacks. However, if your account was illegally accessed in the attack, there are a few steps you should take:
Take preventative steps
After the above, consider the following options to keep all your accounts secure going forward:
Will it affect my use of Facebook?
If you disable Facebook SSO there may be some loss of sharing functionality. For example, you might find that you can’t post/share articles from within news apps direct to Facebook, and instead have to cut and paste the link manually. It will depend, however, on the apps you’re using. At the end of the day, you need to decide what’s more important to you: tighter integration between apps/websites and Facebook, or keeping your passwords in a separate, secure place away from the social media company.
How can Trend Micro help?
Trend Micro Password Manager can help you to protect the privacy and security of your app and website account passwords across PCs and Macs, and Android and iOS mobile devices. Use it as a highly user-friendly but more-secure alternative to Facebook SSO. Trend Micro Password Manager
For more information, or to purchase the product, go to our Trend Micro Password Manager website. Note that Trend Micro Password Manager is automatically installed with Trend Micro Maximum Security.