Let’s talk about that elephant in the room: Facebook’s recent disclosure that attackers got their hands on access tokens for an unknown number of Facebook accounts is a big deal, since it’s the kind of hack that you, a happy Facebook user, could not prevent.
Another day, another Facebook hack. This time around, the accounts of some 50 million users were left vulnerable for over a year, with Facebook only identifying and fixing the problem on September 25. Find out exactly what happened, if you're affected, and what you can do to protect yourself in the future.
Have a great, strong password? That’s nice. Wouldn’t have helped. Set up two-factor authentication using an app instead of just receiving a login code via a text message? Awesome. Keep doing that. Your account still could have been compromised.
Do you have Facebook alert you if someone else is trying to log into your account? Do you religiously check your “Where You’re Logged In” listing to make sure someone isn’t accessing your account that shouldn’t? All great security practices; all completely unhelpful with Facebook’s latest “access token” issue, at least based on what we learned from Facebook’s vice president of product management, Guy Rosen, in a September 28 press call:
It depends on how that access token was being used. If they went through what is a technical step of creating a — what we call a full web session — from that access token, it would indeed have shown up [in “Where You’re Logged In”]. There are some other cases where it may not have shown up if it was used, similar to how a developer might access a certain account only in order to perform certain very limited parts of the functionality.
Do you have a headache? I have a headache. Maybe it’s time to make a change — a big change.
How To Delete Your Facebook Account
Deleting your Facebook account is easy — too easy. But I’m unconvinced that the process actually does everything you want it to do. Yes, your account goes away and people can’t tag you in things any more. Yes, Facebook should delete all the data you’ve associated with your account. But does it really do that? Really? I’m cautiously optimistic.
According to Facebook, deleting your account means:
You won’t be able to reactivate your account.
Your profile, photos, posts, videos, and everything else you’ve added will be permanently deleted. You won’t be able to retrieve anything you’ve added.
You’ll no longer be able to use Facebook Messenger.
You won’t be able to use Facebook Login for other apps you may have signed up for with your Facebook account, like Spotify or Pinterest. You may need to contact the apps and websites to recover those accounts.
Some information, like messages you sent to friends, may still be visible to them after you delete your account. Copies of messages you have sent are stored in your friends’ inboxes.
To get started, all you have to do is click this link, find the “Delete Your Account and Information” option, and let ‘er rip. Don’t log into your account while Facebook is removing all your data from its servers, which could take up to 90 days for Facebook to finish.
After that, your account is gone for good — and all your data too, one hopes.
Try Taking A More Nuanced Approach To Account Deletion
Like I said, it’s easy to nuke your account from orbit, but you have no way to be sure that Facebook isn’t saving some of the data you’ve given it.
Or, worse, that your friends aren’t helping the service create some kind of shadow profile about you — some hidden chunk of related information that Facebook could easily associate with your personal information should you ever decide to rejoin the service again.
This sounds a little tin-foil-hat, I realise, and there’s no way of knowing that Facebook isn’t archiving every single data point you ever send to the service — making any attempts to obfuscate or delete it somewhat pointless. But I think it’s OK to be more sceptical than accommodating in today’s digital world. If I was deleting my Facebook today, this is how I’d do it:
- I’d download all of my Facebook data, because you never know when you’ll need it again (and you might want the memories, too).
- I’d remove all third-party apps or services I’ve used my Facebook account to log in with (or otherwise associated with my Facebook account). As an added bonus, this means that any other vulnerabilities that come up between now and Facebook’s deletion of your account should hopefully prevent an attacker from accessing your account and somehow stopping the deletion process.
- I’d make sure I’m logged out of any and all devices that have accessed Facebook.
- I’d remove all authorised devices that can log into Facebook without a special login code.
- I’d delete any special app passwords I’ve created.
- I’d consider using an extension to batch-delete my Facebook timeline (just for added peace of mind), but I probably wouldn’t do this, given how long it might take.
- I’d delete my location history (three-dot icon in the upper-right corner).
- I’d delete any contacts I ever uploaded to Facebook.
- I’d turn off Face Recognition (just in case).
- I’d delete any payment information (including credit cards) I’ve stored on Facebook. I’d also remove any associated email addresses.
- I’d start to obfuscate my information. It’s a little “security theatre”, because there’s no way to tell whether Facebook keeps data you’ve changed. (I bet it does.) Still, it doesn’t take that much time to switch your Facebook email address to something new and temporary, remove your phone number, ditch your address, and delete (or change) any other critical information that others might know about you — information Facebook could potentially extract from them to maintain a secondary profile of your deleted self, as I touched on earlier.
Phew. Did I leave anything out? Are we feeling better yet?