Last Friday, Facebook notified users about a data breach that may have exposed up to 90 million Facebook users’ data. Facebook has certainly had their share of screw-ups and shady practices revealed in the last year or so, prompting me to finally just delete my Facebook account. Here’s what you need to know about the Facebook breach and what to do about it.
Details of the Facebook Breach
There are at least two aspects to this breach. First, if you used the Facebook “View As” feature to view your profile the way someone else would see it, your login session was vulnerable to hijacking. Basically, bad guys could steal your session token and have full access to your account, as if they were logged in as you. As long as you were logged in, they could be logged in, too. For this reason, Facebook forced all of the accounts they believed were exposed to log out. If your Facebook session died last Friday, this may be why.
Second, if you used the “Log in with Facebook” feature to access other websites without having to create an account on that site, the bad guys could use this same token to log in to these third party sites, as well. This is a popular feature of many websites today. They want you to create an account, usually to get your info and then market stuff to you. But Facebook and Google have cleverly created a mechanism to basically say “yeah, I vouch for this person and I’ll give you the info you want”. And of course, you then establish a relationship between these third parties and Google or Facebook – allowing them to share your information, purchases, etc.
What You Need to Do
First and foremost, log out of Facebook completely, everywhere. Facebook claims to have already done this for everyone who was affected, but it can’t hurt to do it. This will also allow you to see other places where you’re logged in that you may have forgotten about. (If Facebook already did this for you last Friday, you can skip this step.)
- Go to Facebook Settings under the little triangle menu at the upper right.
- Go to the “Security and Login” tab and look at “Where You’re Logged In”.
- Click “Log out of all sessions” at the lower right. You’ll then need to re-login everywhere.
Next, you need to check all the apps and third party sites that you’ve connected to Facebook. You’ll want to review all of them and remove any that you don’t absolutely need.
- In Facebook Settings, go to the “Apps and Websites” tab.
- Review all the “Active” apps and remove any that you don’t absolutely need.
- You might also review your Preferences under this tab. If you can do it, just disable third party access totally.
General Security Practices for Facebook, Google & Twitter
Facebook, Google and Twitter are advertising companies – you’re not their customer, you’re their product. You should be very circumspect about how you use these services and how much information you give them. Here are some general tips.
- Never, ever give these services access to your contact lists and address books. They will often offer to help you find friends this way. Think of all the information you have in your address book and realize that you’re giving them access to all of that – not just email addresses and phone numbers, but full names, mailing addresses, birthdays, and any other notes you attach. You should understand that you’re volunteering private data on other people without their consent. (Still not convinced? See this recent article about how Facebook uses this data.)
- Don’t use the “Log in with Facebook” or “Log in with Google” buttons. If you really want to use that site and they require you to give them your info, just create an account. Use your password manager to generate a strong, unique password and remember it for you.
- Be wary of any app or web service that asks you to give them access to your Facebook, Google or Twitter accounts. This is usually so that you can share content… what song you’re listening to right now, what great restaurant you’re in, a funny meme, a recipe, whatever. You could be giving those sites and services access to lots of info on you, and in return they’ll share their info on you with Google, Facebook, and Twitter.
Again… if you’ve finally had enough of this crap from Facebook, seriously consider just deleting your Facebook account. Google is harder to give up, but I’m on a mission to do just that. Stay tuned for a series of posts on how to do this for yourself. You might want to listen to my podcast on this topic, as well. There aren’t many replacements for Twitter, but you might check out Mastodon.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!