PG Logo
  • Business Insider
  • Gizmodo
  • Kotaku
  • OpenAir Cinemas
  • Pedestrian.TV
Logo Level Up Your Life
Subscribe
  • Life
    • Money
    • Home
    • Entertainment
    • Travel
    • Health
    • Design
    • View All Life
  • Work
    • Productivity
    • Communicate
    • Organise
    • Career
    • Business Travel
    • Security
    • Small Business & Startups
    • View All Work
  • Deals
  • Coupons
  • Makes Cents
  • Life
    • Money
    • Home
    • Entertainment
    • Travel
    • Health
    • Design
    • View All Life
  • Work
    • Productivity
    • Communicate
    • Organise
    • Career
    • Business Travel
    • Security
    • Small Business & Startups
    • View All Work
  • Deals
  • Coupons
  • Makes Cents

Want Lifehacker's email newsletter?

Follow us, subscribe and get in touch

  • Contact Lifehacker Australia
  • Facebook
  • Twitter
  • Instagram
  • Youtube
  • Linkedin
  • RSS

Recent Posts

Don’t Be Fooled by the Cheap Prices of ALDI’s Winter Wines
ALDI's winter wines are all under $15. (Image: Lifehacker)
Don’t Be Fooled by the Cheap Prices of ALDI’s Winter Wines
What You Can Expect From Season 4 of The Handmaid’s Tale
Credit: SBS
What You Can Expect From Season 4 of The Handmaid’s Tale
Lube Doesn’t Mean You’re ‘Bad’ at Sex
Image via Frenchie
Lube Doesn’t Mean You’re ‘Bad’ at Sex
What Exactly Is a Retinol Serum and Should You Be Using One?
Image: Instagram @adorebeauty
What Exactly Is a Retinol Serum and Should You Be Using...
These Crystal Candles Will Have Everyone Feeling Zen This Mother’s Day
These Crystal Candles Will Have Everyone Feeling Zen This Mother’s Day

Deals

Internode’s Mobile Plans Are All 50% Off, With 40GB Down to $15
Image: Scrubs

Internode’s Mobile Plans Are All 50% Off, With 40GB Down to $15

Who Kneads Stress with These 8 Massager Deals
Image: iStock/AndreyPopov
Who Kneads Stress with These 8 Massager Deals
Spintel’s NBN 100 Matches Telstra and Optus for Speed and It’s Cheaper
Image: Marvel Studios
Spintel’s NBN 100 Matches Telstra and Optus for Speed and It’s...
These Global Knife Deals Are a Cut Above
Image: Global
These Global Knife Deals Are a Cut Above
Telstra Has Knocked Up to $300 off the Galaxy S21
Telstra Has Knocked Up to $300 off the Galaxy S21

Sponsored Articles

How To Protect Yourself After Facebook’s Recent Hack 

Share
David Murphy

David Murphy

Published 3 years ago: October 4, 2018 at 12:30 pm -
Filed to:account
authenticationcompromiseddatafacebookprivacysingle sign-on
How To Protect Yourself After Facebook’s Recent Hack 
To sign up for our daily newsletter covering the latest news, hacks and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Lifehacker Australia homepage to visit whenever you need a fix.

It’s safe to say that this recent Facebook access token hack is a complete mess — much more than a simple inconvenience that might have forced you to log back in to your Facebook account on your devices.

And while the company is still sorting out the details and working on ways for developers to mitigate the effects of the attack, there are three things you can do to regain a little more control over your digital life.

First, let’s catch up on Facebook’s latest analysis of the hack:

Facebook Dodges A Big Bullet, Maybe

Facebook paints a rosy picture of the attack’s aftereffects in its most recent blog post. It has “found no evidence that the attackers accessed any apps using Facebook Login” and it’s “building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out”.

That sure is nicer to hear than the doom and gloom that came from security researchers over the past few days, who (rightfully) envisioned a pretty far-reaching collapse of account security as a result of Facebook’s hack.

Jason Polakis, assistant professor of computer science at the University of Illinois at Chicago, listed out a handful of potential issues in a comprehensive (and now highly referenced) Twitter thread:

Depending on how a site implements local account management, in some cases attackers can gain access to users' 3rd party accounts that haven't been associated with their FB account. In other cases the attacker is simply presented with a new account (under the user's name). (7/n)

— jason polakis (@jpolakis) September 29, 2018

More importantly, once attackers gain access to those 3rd parties, they can maintain access to user accounts in those websites using the cookies set by those sites. No matter what FB does, they can’t do anything to prevent attackers’ from accessing those accounts. (9/n)

— jason polakis (@jpolakis) September 29, 2018

However, there are still plenty of questions concerning what data, if anything, was accessed for the 50 million accounts the hack directly affected. And as The New York Times’ Farhad Manjoo argues, Facebook’s big security breach should be enough to disqualify it from your digital toolbelt — no more single sign-ons using the service:

This is a classic you-had-one-job situation. Like a trusty superintendent in a Brooklyn walk-up, Facebook offered to carry keys for every lock online. The arrangement was convenient — the super was always right there, at the push of a button. It was also more secure than creating and remembering dozens of passwords for different sites. Facebook had a financial and reputational incentive to hire the best security people to protect your keys; tons of small sites online don’t — and if they got hacked and if you reused your passwords elsewhere, you were hosed.

But the extensive hack vaporizes those arguments. If the entity with which you trusted your keys loses your keys, you take your keys elsewhere. And there are many more-secure and just-as-convenient ways to sign on to things online.

I think that’s great advice, and you can even take it one step further.

How To Disable Facebook’s Single Sign-On And More

First, hit up your Facebook settings and remove all the apps under “Active Apps and Websites”. Yes, every single one. You won’t miss them, I promise.

You can even go bigger. Under the “Apps, Websites and Games” section under the “Preferences” heading, click on “Edit”, and then click “Turn Off”. You’ll now no longer be tempted to sign into new services using your Facebook account, because that won’t work. Ta-da.

I recommend a third and slightly more extreme measure. Sign up for a Gmail account, if you don’t have one already. Then, when you go to sign up for a new service — say, Twitter — give the service a modified email address: [email protected], for example. Google will ignore the plus sign in your email address and anything that comes after it, but a service like Twitter should consider this a full, unique email address.

While you’re at it, switch your Facebook email address over to something unique as well, or just [email protected] In theory — and I’m spitballing here — this should make it more difficult for attackers to use access tokens from one service to mess with your accounts (or to-be-created accounts) on another if you’ve never set up the latter with single sign-on, since there won’t be a common link between the two.

How To Nuke Your Facebook Account From Orbit

How To Nuke Your Facebook Account From Orbit

Let’s talk about that elephant in the room. Facebook’s recent disclosure that attackers got their hands on access tokens for an unknown number of Facebook accounts is a big deal, since it’s the kind of hack that you, a happy Facebook user, could not prevent.

Read more

At least, I think that should help address what Jason Polakis previously tweeted, summarised by The Guardian here:

It gets even worse. Even if you’ve never used Facebook’s sign-in for an app or website, an attacker could still use the token to log in as you, provided you use the same email address for both services, says Polakis.

And if you don’t yet have an account on these services, attackers can use tokens to create one in your name, which can sit dormant waiting for you to eventually log in so they can steal your personal information.

If you use a tool such as LastPass or 1Password to keep track of your accounts, it won’t be hard to remember which modified email you used with which service. (Set up two-factor authentication on your password managers, too, and pray they never suffer any kind of crazy security breach like what Facebook’s dealing with, or else we’re all screwed.)

About the Author

David Murphy

David Murphy

  • Posts
  • Email

Share this Story
Get our Newsletter Subscribe
There are no more articles to be viewed

© 2007 - 2021 Pedestrian Group

  • About
  • Advertise
  • Contact
  • Privacy Policy
  • Terms of Use

Log in to Lifehacker to:

  • Comment on stories

By logging in, you can access these features throughout our network.

Haven't registered? Sign up here
Lost your password? Click here to reset

Back to Login? Click here

Email newsletters will contain a brief summary of our top stories, plus details of competitions and reader events.

Back to Login? Click here

Subscribe to our newsletter!

Now you can get the top stories from Lifehacker delivered to your inbox. Enter your email below.

By subscribing you agree to our Terms of Use and Privacy Policy.