Facebook hit the headlines again this weekend. Although, as ever this year, not for the reasons it would like. Already in the midst of US Senate scrutiny, the company has now revealed that millions of its users recently suffered a significant security breach.
Up to 50 million accounts were potentially affected. For context, that's more people than live in the whole of California. While it may be a drop in the ocean in terms of Facebook's 1.47 billion customer base, it's still a huge number, and a huge embarrassment.
The breach also raises questions about the wisdom of using Facebook's Single Sign On function to log into multiple sites and service. If Facebook itself is compromised, are all of your accounts at risk?
What Happened in the Facebook Data breach?
With this recent Facebook breach, the issue has been traced back to a mode called ‘View As'. This is a mode we all have on our Facebook accounts. It effectively replicates the view of your page that other users have. It lets you, for example, preview how your Facebook page would appear to your boss, your mom, or a complete stranger, depending on your privacy settings.
However, thanks to a recently-spotted bug, it appears that it was theoretically possible to use this mode to log into another user's Facebook account.
This issue was reportedly introduced with an update back in July 2017. In theory, a hacker aware of the flaw could potentially been accessing other people's profiles for over a year. The ‘good' news is that Facebook says no payment information was taken in the breach.
However, in using this bug, a hacker is also allocated an access token. This is the handy little widget that means you can automatically log into other sites and services using Facebook details. With this, a hacker could access sites and services that you use, in your name, without ever having to enter a password.
In a statement on its news site, Facebook insists it has taken steps to protect affected users:
“First, we’ve fixed the vulnerability and informed law enforcement. Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
Facebook also confirmed that until the issue was thoroughly investigated and understood, it would be switching off the ‘View As' feature for all Facebook users.
Is it Safe to Sign In With Facebook?
Facebook has now fixed the problem. In some ways, the fact that we've only learned about it now, over a year after it was introduced, is encouraging. It means that it's unlikely to have been widely exploited, and passed under the radar of the hacking community.
The question remains, though, should you trust Facebook with your Single Sign On details?
There's no doubting the convenience – it eliminates the need to remember multiple passwords. It's easier to use a single click, after all, rather than typing in yet another email address and password.
On the other hand, as Facebook's most recent breach has shown, if someone else gets hold of your access token, your other accounts can be vulnerable.
Ask yourself how much you trust Facebook with your data. Not just the data you share on Facebook, but potentially the data you hold on other sites that can be accessed with Single Sign On.
It could all be up for grabs if there's another similar breach in the future.
What About Single Sign On with Google?
Of course, there are plenty of good reasons to use Single Sign On. Aside from streamlining the login process, it also means that you're not giving your details to every website you log into.
By treating your Google or Facebook details as a master key, you can log into many other sites without ever giving them your details.
Let's say you sign up to a site, creating a new password and adding personal data to your profile. If that site gets hacked, then your details could be exploited. Sign in with Single Sign On though, and none of your details are accessible by the site in question, and therefore can't be compromised. They're as secure as the protocols put in place by the ‘master site' – though in Facebook's case, that's not a great endorsement.
Many sites allow you to use your Google account details to access sites and services for Single Sign On. Is this any safer than using Facebook? Well, for one thing, Google hasn't had any similar breaches of its system to the degree that Facebook has experience this weekend.
Again though, it comes down to trust. Do you trust Google to have your back when it comes to your personal data? There's no doubt that it has poured millions into security, and considering its size, has been rather less susceptible to breaches than other tech brands.
The Solution – Use a Password Manager
One way to side-step the dangers of access tokens being intercepted by third parties is with a password manager. A password manager is software that lives on your computer and allows you to access your sites with a click of a button. It removes the need to remember and repeatedly enter your passwords.
Unlike Single Sign On, password managers don't rely on access tokens, so can't be as easily exploited. There are also a host of other features that come with password managers, such as robust password generators to create new passwords for you, plus automatic alerts, should a site you use be hacked.
Password managers are subscription-based, usually charging a few dollars per month to use their services. It's a small price to pay for the reassuring feeling of being protected online, while others worry about the latest breach.
There are plenty to choose from, but we've saved you some research by listing the top three below, according to our rigorous research:
- Free 6 month trial for 1Password Teams for business
- Local storage makes saving changed passwords more reliable
- Large number of secure note templates for storing sensitive information
- Very well-designed app
- No automated password changing feature
- Desktop app seems superfluous
- No camera integration on mobile
- Dashlane can automatically change multiple passwords at once
- Easy-to-understand security assessment of your password quality
- Auto-saves online receipts
- Virtual Private Network (VPN) included
- The free tier doesn’t backup your database to the cloud
- Very expensive compared to competitors such as 1Password and LastPass
- Makes your passwords available where you want them: in your browser.
- Detects when you’re using the same password on multiple sites.
- Available on all major browsers and on multiple sites.
- Connection issues, though rare, can make password changes maddening.
- Password changing feature is very manual the first time round.