Whether the loophole lasts a day, month, or forever, a new “Facebook Email Search” program again shows why you might not want to use your regular email address for the sprawling social media site — or any, really. As researchers found, it’s pathetically easy to hammer through a big list of of email address and link them to real Facebook accounts.
The scope of the tool is pretty significant — up to five million email addresses per day when it’s really cruising along — and it can link Facebook accounts to said emails regardless of the account owner’s security settings. You might have made your Facebook profile as private as it can get, but that doesn’t stop the tool from working its magic.
While this kind of a vulnerability doesn’t pose a direct threat to your security, as nobody will be able to use the existence of your email address as a way to break into your Facebook account, it’s still one more data point that you probably don’t want tied up in some gigantic database. That information could be used to dox or phish you at some future point, or who knows what else — attackers can get plenty creative when they have a wealth of data about you, your associated accounts, and a few leaked passwords.
Since Facebook is a juicy target for attacks and data breaches, and odds are high that a majority of people using the service are probably unwilling to part with it for good, one of the best things you can do for yourself is to use fake data about yourself wherever possible. At minimum, you should use an email address with Facebook that you don’t use with any other service (and ideally, a separate phone number, too).
Changing this data on Facebook is easy: All you have to do is visit your primary Facebook settings page to start changing your email address, or “Contact,” as Facebook calls it. Add a new one, make it the primary, and delete the old one — easy as that. You’ll perform a similar process to switch over to a new phone number. All in all, this shouldn’t take more than ten minutes to switch over, and that’s including the time you’ll spend looking at your inbox or text messages, waiting for Facebook to send you new confirmations.
In a perfect world, you’d use a unique email address (and phone number, if required) for all your social services. The former is pretty easy to set up and manage, especially if you have a password manager doing all the heavy lifting. The latter is a lot more of a pain to deal with, and it’s something you can probably avoid if you stop giving your phone number to the services you use. The exception being, of course, if a service only offers two-step authentication; it’s better to have that enabled than to go without it, but you can avoid this entirely if a service also allows you to set up conventional two-factor authentication with a third-party app.
If this all sounds like a lot to remember, it shouldn’t be. Just think of this one word whenever you’re setting up a new service or reviewing the information you’ve already shared with a service: obfuscation. If a service doesn’t need to know your actual information in order to grant you access, you don’t need to cough it up. The more you can hide your critical information, such as your name, date of birth, email address, phone number, and real address, the better you’ll be when clever people start poking around.