Late last year, Facebook was hacked, and it sent everyone scrambling to understand why it happened, who was responsible, and most importantly, what it meant for the potentially 90 million affected users. What’s become clear is that Facebook’s unprecedented access to user data across at least 8 million websites—via the ever-present Login With Facebook option—puts each of Facebook’s 2 billion-plus users at risk.
To understand why the Login With Facebook option is a bad idea, we’re sharing three facts you might not know about the problems associated with using a login connected to your social profile as a way to manage logins for many accounts.
Fact #1: Facebook collects a surprisingly large amount of data on people to power its advertising engine.
Facebook is often referred to as a “social media company” or a “social media app.” But that’s not a business model. It would be far more accurate to think of Facebook as the second largest data-collection and advertising agency in the history of mankind, behind Google—we’ll get to them soon.
In 2017, 98% of Facebook’s global revenue was generated through its advertising business. It’s no wonder Facebook does everything in its power to collect every ounce of data about everyone they can, whether they have a Facebook account or not. That phone number you gave Facebook to help secure your account? The company used it to serve you and your friends ads. The list of data points they collect is practically endless.
Armed with this data, you could say that Facebook knows more about you than even you know about you. And one of the primary ways Facebook collects this data was just revealed to be vulnerable.
Fact #2: The Facebook hack exposed Login With Facebook, which connects users with third-party services like Airbnb, Spotify, and Uber.
It’s hard to find a service nowadays that isn’t connected to Facebook in some way. For many of those services, users don’t even need to create an account—they simply use Login With Facebook to gain access. In theory, using Facebook as a way to manage logins for other accounts is beneficial to all parties: Users get an easy, one-click login, services get new, verified users without the responsibility of securing login data, and Facebook gets access to the user data associated with those services.
However, the Facebook hack exposed the dangers of using Facebook as a way to manage your logins for many accounts.
It’s unclear what data, if any, was stolen in the hack. However, a paper published by computer scientist Jason Polakis in August 2018 analyzed the different ways hackers could exploit Login With Facbeook, as well as other types of social logins (e.g. signing in with Google) to infiltrate third-party accounts.
In controlled experiments, authors of the paper were able to:
- Get into a target’s Uber account, track the target’s trips in real time, and even tip the driver after a completed trip.
- Send and receive messages on a target’s Tinder account, even though those messages appeared unread on the target’s device.
- Access a target’s Expedia account and view their passport number, TSA information, and payment details.
- Log in to some accounts where users didn’t even useLogin With Facebook, as long as those accounts used the same email address associated with their Facebook account. Pro tip: Use a different email for Facebook than you do for any other services to eliminate this risk.
It’s easy to imagine a real-life scenario where hackers take advantage of compromised social accounts connected to third-party services and exploit them.
Fact #3: You can start to take back control of your private data by using a password manager instead of Facebook to log in.
Password managers remember all your different passwords, personal details, and payment info and intelligently fill in that information on your desktop, laptop, tablet, or mobile device. They have all the convenience of using Login With Facebook, but they’re more secure. And while they don’t protect you from 100% of the risks associated with using Facebook, they are the best alternative to allowing Facebook to manage access to all your accounts.
You’re probably wondering, How’s a password manager more secure than using Login With Facebook? It sounds like I’m still putting all my eggs in one basket.
There is one crucial difference: Facebook was and remains a single point of failure for all 2 billion-plus users—a Facebook vulnerability could mean access to millions of users and their associated third-party accounts. In contrast, a password manager prevents this same “one-to-many” hack, because it requires a unique key—your master password, which is never stored online and is known only by you—to unlock your personal data. A password manager is designed to keep each of your accounts separate, so if one account becomes compromised, your other accounts remain secure.
So, while you’re keeping all your eggs in one basket, imagine that basket is locked inside a safe which is locked inside a larger vault. Even if someone manages to open the vault, your safe is protected by your unique master password.
All the problems associated with using a centralized service like Facebook exist with any type of social login, including Google, LinkedIn, Twitter, or Yahoo. In fact, LinkedIn, Twitter, and Yahoo have already been hacked, and Google recently revealed a breach for hundreds of thousands of users. The common thread? Each of these businesses generates revenue primarily through ad sales.
And the truth is, these data privacy issues shouldn’t have to be solved by users. Facebook could take a big step in the right direction by allowing users to opt-in or out of allowing Facebook to connect their accounts with third-party services. That way, users are in control of where and how their data is shared, not Facebook.
But until that becomes a reality, stop entrusting your data to companies whose primary goal is to sell you ads. A security-focused password manager puts you in control of your private data and provides the same convenience of instant logins across all your accounts.
Eitan Katz writes for NSA’s partner Dashlane on cybersecurity topics like Phishing, the dark web, and password management. Dashlane shared this article with us to help educate and inform NSA members.