On Tuesday we learned that Facebook had suffered a breach that affected about 50 million users, people who used the "View as" feature on the platform. Actually, Facebook logged 90 million users out of their Facebook page 'out of an abundance of caution.' For more detail, read this post from TechCrunch.
A critical thing to understand is that this potential theft of a user's login data affects all sites the user has logged into using her Facebook user name and password. In the interest of protecting yourself, set up a separate password for each site--DO NOT USE FACEBOOK or any other platform's login data. Too much trouble? Read my post on using a password manager. A password manager makes that easy to do and gives additional benefits.
Changing My Facebook Password
I rarely use Facebook but I've had an account for years, so I decided to change my password, partly at the prompting of my password manager. Here are things I learned along the way.
The first time I signed into my password manager, which is pinned to my Start menu, I saw the alert on the left--a quick warning about the breach. A couple of days later I got the more specific alert on the right telling my that 49 of my accounts had been compromised!
Does that mean that 49 of my accounts had been breached? No, it means that 49 of my accounts used elements of my Facebook password. I admitted to lazy password habits in the password manager post and I haven't bothered to change many of them. This time I decided I would at least change my Facebook and bank passwords.
Changing my Facebook password was easy. Using my password manager, a 'create a secure password' box pops up each time I change a password. It creates a 12-digit password composed of upper case and lower case letters, numbers and special characters. It is virtually unhackable and equally impossible to remember! Your password manager will use it to sign you in automatically, so you don't need to remember it--thank goodness!
Changing My Bank Password
Ok, so now I have a safe Facebook password--on to my bank. I followed the same process and the site refused my password. I didn't understand, so I tried again with the same result (yes, I know the popular definition of insanity!). The second time I read carefully and understood that it was rejecting the special characters in the strong password created by the password manager.
Then I actually read the rules of the bank's passwords. The rules did not require a combination of upper case and lower case letters and it did not require special characters, both requirements of many sites. I created a new password using its rules. I'm confident that it is not as strong but it's so silly that I wonder if a human hacker could crack it. But what about a sophisticated tech hack?
I used their contact form and asked to speak to a rep knowledgeable about their password system. If I have an interesting response, I'll write about it at a future date.
Take-Aways
I'll repeat the advice that is all over the web and add two more that aren't repeated as often but are equally important.
- Change Your Facebook password.
- Change the password on every site you have, or even think you have, logged into with Facebook.
- Use a unique password for each site with which you set up an account. Never log onto a site using your credentials from another platform.
Update on the Use of Social Sign In In the Context of the Facebook Breach
Social
login is a form of single sign-on using existing information from a
social networking service such as Facebook, Twitter or Google+, to sign
into a third party website instead of creating a new login account
specifically for that website. Wikipedia
It is well known that many internet users prefer to sign in using a social platform instead of setting up a new account. It's one of the reasons to use a password manager! It's also the reason for recommendation #2 above.
The Facebook breach is a reason NOT to use social sign in, although whether actual damage has been done or not is not clear. Both the NY Times and The Guardian have published articles saying the risk is there.
Facebook says no other sites have been breached.
An Australian academic gives a thoughtful overview.
Two things seem certain. First, we will see more 'quick and dirty' announcements of breaches because the GDPR fines for not reporting promptly are stiff.
Second, we live in a world where there is now a 'third certainty." Add to death and taxes, the certainty of more data breaches to come!
Stay Safe!
Two things seem certain. First, we will see more 'quick and dirty' announcements of breaches because the GDPR fines for not reporting promptly are stiff.
Second, we live in a world where there is now a 'third certainty." Add to death and taxes, the certainty of more data breaches to come!
Stay Safe!
No comments:
Post a Comment