Following disclosure of a data breach affecting 50 million people on Facebook, the company revealed things are worse than first thought. In a follow-up call with Wired late Friday, the social network said the hack affected its Single Sign-On (SSO) services.
This means any website that allows you to sign-in with your Facebook profile may be compromised.
SSO services are meant to be a more secure option for browsing the web. Offered by big online companies like Facebook, Google and Twitter, SSO allows smaller online companies to provide the same level of secure authentication as the big guys.
It’s an excellent option for companies who don’t have the capital to invest in high-level security. It’s also beneficial for consumers, offering convenience and a small loyalty bonus. If you use Facebook, you get faster, easier and more secure access. But that convenience comes at a cost.
SSO exacerbates one of the most significant flaws with any online security platform: reused passwords. It essentially reuses your Facebook, Google, Twitter or other account data and authentication tokens. If hackers gain access to one, they gain access to all sites connected to that SSO.
The recent breach exposed the authentication tokens for users. That’s why the company logged out 50 million affected users and another 40 million potentially affected users. Hackers could have their authentication tokens, granting access to their Facebook accounts as well as any sites using Facebook sign-in.
In addition to invalidating authentication tokens by logging users off, the company has notified developers using Facebook’s SSO which accounts have had tokens reset.
However, it isn’t clear how long affected sites will accept the stolen access tokens. Furthermore, it’s unclear how difficult it would be for attackers to access a third-party website using stolen authentication tokens.
If the breach impacted your Facebook account, you should change your password immediately. Furthermore, you should log out of any website where you’ve used Facebook login. Beyond that, unfortunately, all you can do is wait as the social network continues to work through the full scope of the breach.
The social network has had a rough week for security. Along with the data breach, the company confirmed that it took phone numbers provided for two-factor authentication and used them for advertising.