It’s safe to say that this recent Facebook access token hack is a complete mess—much more than a simple inconvenience that might have forced you to log back in to your Facebook account on your devices. And while the company is still sorting out the details and working on ways for developers to mitigate the effects of the attack, there are three things you can do to regain a little more control over your digital life.
First, let’s catch up on Facebook’s latest analysis of the hack:
Facebook dodges a big bullet, maybe
Facebook paints a rosy picture of the attack’s aftereffects in its most recent blog post. It has “found no evidence that the attackers accessed any apps using Facebook Login” and it’s “building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”
That sure is nicer to hear than the doom and gloom that came from security researchers over the past few days, who (rightfully) envisioned a pretty far-reaching collapse of account security as a result of Facebook’s hack. Jason Polakis, assistant professor of computer science at the University of Illinois at Chicago, listed out a handful of potential issues in a comprehensive (and now highly referenced) Twitter thread:
However, there are still plenty of questions concerning what data, if anything, was accessed for the 50 million accounts the hack directly affected. And as The New York Times’ Farhad Manjoo argues, Facebook’s big security breach should be enough to disqualify it from your digital toolbelt—no more single sign-ons using the service:
“This is a classic you-had-one-job situation. Like a trusty superintendent in a Brooklyn walk-up, Facebook offered to carry keys for every lock online. The arrangement was convenient — the super was always right there, at the push of a button. It was also more secure than creating and remembering dozens of passwords for different sites. Facebook had a financial and reputational incentive to hire the best security people to protect your keys; tons of small sites online don’t — and if they got hacked and if you reused your passwords elsewhere, you were hosed.
But the extensive hack vaporizes those arguments. If the entity with which you trusted your keys loses your keys, you take your keys elsewhere. And there are many more-secure and just-as-convenient ways to sign on to things online.”
I think that’s great advice, and you can even take it one step further.
How to disable Facebook’s single-sign on … and more
First, hit up your Facebook settings and remove all the apps under “Active Apps and Websites.” Yes, every single one. You won’t miss them, I promise.
You can even go bigger. Under the “Apps, Websites and Games” section under the “Preferences” heading, click on “Edit,” and then click “Turn Off.” You’ll now no longer be tempted to sign into new services using your Facebook account, because that won’t work. Ta-da.
I recommend a third and slightly more extreme measure. Sign up for a Gmail account, if you don’t have one already. Then, when you go to sign up for a new service—say, Twitter—give the service a modified email address: firstname.lastname@example.org, for example. Google will ignore the plus sign in your email address and anything that comes after it, but a service like Twitter should consider this a full, unique email address.
While you’re at it, switch your Facebook email address over to something unique as well, or just email@example.com. In theory—and I’m spitballing here—this should make it more difficult for attackers to use access tokens from one service to mess with your accounts (or to-be-created accounts) on another if you’ve never set up the latter with single sign-on, since there won’t be a common link between the two.
At least, I think that should help address what Jason Polakis previously tweeted, summarized by The Guardian here:
“It gets even worse. Even if you’ve never used Facebook’s sign-in for an app or website, an attacker could still use the token to log in as you, provided you use the same email address for both services, says Polakis.
And if you don’t yet have an account on these services, attackers can use tokens to create one in your name, which can sit dormant waiting for you to eventually log in so they can steal your personal information.”
If you use a tool like LastPass or 1Password to keep track of your accounts, it won’t be hard to remember which modified email you used with which service. (Set up two-factor authentication on your password managers, too, and pray they never suffer any kind of crazy security breach like what Facebook’s dealing with, or else we’re all screwed.)