The struggles continue for Facebook. As you hopefully know by now, on Sept. 28, the social media giant announced a security breach affecting 50 million accounts. The breach involved the theft of password tokens that allow a user to stay signed in or to sign into numerous third party applications, such as Spotify, Instagram and Yelp, among thousands of others. We thought to take the opportunity with this most recent breach to remind you about best practices that can help you not only deal with this event at Facebook, but better manage security across all systems you might use.
Facebook automatically logged out all 50 million users that were affected and another 40 million users that were potentially affected from the breach. While Facebook stated that passwords were not compromised, if you use the same password across multiple sites, now would be a great time to change your password. As we have written before, you should also consider using a password manager, such as Lastpass or 1Password. These applications require you to memorize one password and then it creates and stores strong unique passwords on your device(s) for every website that you use. Using a unique password for every website that you use keeps any breach of one website isolated from all the other websites. Need another cautionary tale about using the same password? (See: Yahoo! Breach).
In the Facebook settings page, you can see what third party applications or websites you are allowing Facebook to share your information with. Facebook has reset these tokens after the breach, but these tokens could have allowed the hackers access to the sites you used Facebook to access. You can use this opportunity to revoke permission to websites you do not use anymore or choose to not use Facebook to sign onto other websites in the future. As mentioned above, using a password manager to log into multiple websites is a strong alternative to Facebook and any site’s organic features.
Another way to boost the security of your Facebook account is the use of two-factor authentication. Two-factor authentication requires the user to have two separate items to log into their accounts. This usually consists of something you know, like a password, and something you have, like a cellphone. This means that you cannot log into your account without both items. Therefore, should your password become compromised your account remains secure, unless the bad actor also possesses your second factor (cell phone). Facebook, along with several other popular websites, allows a user to configure his or her account for two-factor authentication. While this process may make logging in a longer process (we are talking seconds, people!), the benefits far outweigh the damage that can be caused when someone has breached your account.
Finally, while checking the settings in your Facebook account or any website account, take a minute to review your privacy settings. Facebook can be a treasure trove of information for malicious actors that may wish to send a spear-phishing email or launch any number of other attacks. Verify to whom you allow access to your posts or home page and try to limit it as much as possible. What you may consider to be innocuous information could be used to gain access to bank accounts through security questions, or maybe used to impersonate your boss in an email to you asking for your W-2 or other sensitive information.
The Facebook breach is not the last. Breaches will continue to come in larger and larger numbers. The one consistent factor is you. Your choices to better manage your personal privacy and security provide you the best defense to the inevitable.