Facebook Data Breach – Is Single Sign On Safe?

October 1, 2018

10:52 am

Facebook hit the headlines again this weekend. Although, as ever this year, not for the reasons it would like. Already in the midst of US Senate scrutiny, the company has now revealed that millions of its users recently suffered a significant security breach.

Up to 50 million accounts were potentially affected. For context, that’s more people than live in the whole of California. While it may be a drop in the ocean in terms of Facebook’s 1.47 billion customer base, it’s still a huge number, and a huge embarrassment.

The breach also raises questions about the wisdom of using Facebook’s Single Sign On function to log into multiple sites and service. If Facebook itself is compromised, are all of your accounts at risk?

What Happened in the Facebook Data breach?

With this recent Facebook breach, the issue has been traced back to a mode called ‘View As’. This is a mode we all have on our Facebook accounts. It effectively replicates the view of your page that other users have. It lets you, for example, preview how your Facebook page would appear to your boss, your mom, or a complete stranger, depending on your privacy settings.

However, thanks to a recently-spotted bug, it appears that it was theoretically possible to use this mode to log into another user’s Facebook account.

This issue was reportedly introduced with an update back in July 2017. In theory, a hacker aware of the flaw could potentially been accessing other people’s profiles for over a year. The ‘good’ news is that Facebook says no payment information was taken in the breach.

However, in using this bug, a hacker is also allocated an access token. This is the handy little widget that means you can automatically log into other sites and services using Facebook details. With this, a hacker could access sites and services that you use, in your name, without ever having to enter a password.

In a statement on its news site, Facebook insists it has taken steps to protect affected users:

“First, we’ve fixed the vulnerability and informed law enforcement. Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”

Facebook also confirmed that until the issue was thoroughly investigated and understood, it would be switching off the ‘View As’ feature for all Facebook users.

facebook-single-log-on

An example of Single Sign On

Is it Safe to Sign In With Facebook?

Facebook has now fixed the problem. In some ways, the fact that we’ve only learned about it now, over a year after it was introduced, is encouraging. It means that it’s unlikely to have been widely exploited, and passed under the radar of the hacking community.

The question remains, though, should you trust Facebook with your Single Sign On details?

There’s no doubting the convenience – it eliminates the need to remember multiple passwords. It’s easier to use a single click, after all, rather than typing in yet another email address and password.

On the other hand, as Facebook’s most recent breach has shown, if someone else gets hold of your access token, your other accounts can be vulnerable.

Ask yourself how much you trust Facebook with your data. Not just the data you share on Facebook, but potentially the data you hold on other sites that can be accessed with Single Sign On.

It could all be up for grabs if there’s another similar breach in the future.

What About Single Sign On with Google?

Of course, there are plenty of good reasons to use Single Sign On. Aside from streamlining the login process, it also means that you’re not giving your details to every website you log into.

By treating your Google or Facebook details as a master key, you can log into many other sites without ever giving them your details.

Let’s say you sign up to a site, creating a new password and adding personal data to your profile. If that site gets hacked, then your details could be exploited. Sign in with Single Sign On though, and none of your details are accessible by the site in question, and therefore can’t be compromised. They’re as secure as the protocols put in place by the ‘master site’ – though in Facebook’s case, that’s not a great endorsement.

Many sites allow you to use your Google account details to access sites and services for Single Sign On. Is this any safer than using Facebook? Well, for one thing, Google hasn’t had any similar breaches of its system to the degree that Facebook has experience this weekend.

Again though, it comes down to trust. Do you trust Google to have your back when it comes to your personal data? There’s no doubt that it has poured millions into security, and considering its size, has been rather less susceptible to breaches than other tech brands.

The Solution – Use a Password Manager

One way to side-step the dangers of access tokens being intercepted by third parties is with a password manager. A password manager is software that lives on your computer and allows you to access your sites with a click of a button. It removes the need to remember and repeatedly enter your passwords.

Unlike Single Sign On, password managers don’t rely on access tokens, so can’t be as easily exploited. There are also a host of other features that come with password managers, such as robust password generators to create new passwords for you, plus automatic alerts, should a site you use be hacked.

Password managers are subscription-based, usually charging a few dollars per month to use their services. It’s a small price to pay for the reassuring feeling of being protected online, while others worry about the latest breach.

There are plenty to choose from, but we’ve saved you some research by listing the top three below, according to our rigorous research:

TechCo Logo small
  • Score
  • Full Review
  • Ease of Set Up
  • Features
  • Performance
  • Help & Support
  • Value for Money
  • Annual price
  • Get a Password Manager today:

best password managers for 2018 - tech.co

PureVPN logo - tech.co
  • Score: 89%
  • Full Review
  • Ease of Use: 5 stars
  • Features: 5 stars
  • Privacy: 5 stars
  • Speed: 3 stars
  • Help & Support: 4 stars
  • Value for Money: 5 stars
  • Annual price: $36
  • 1Password Deals

IPVanish-VPN - tech.co
  • Score: 86%
  • Full Review
  • Ease of Use: 5 stars
  • Features: 5 stars
  • Privacy: 5 stars
  • Speed: 4 stars
  • Help & Support: 4 stars
  • Annual price: $39.96
  • Dashlane Deals

Torguard tech.co

For more, see our simple guide – What Is a Password Manager?

Tags:

Did you like this article?

Get more delivered to your inbox just like it!

Sorry about that. Try these articles instead!

Jack is a senior writer at Tech.co with over a decade's experience researching and writing about consumer technology, from security and privacy to product reviews and tech news.

  • Shares

Leave a Reply

  • (will not be published)