Stop Signing In With Facebook (or Gmail) On Other Sites
Have you ever been asked on a site, instead of creating a unique username and password, to log in with you Facebook or Gmail account? That’s called a single-sign on feature and that is what attackers took advantage of with the latest Facebook breach. The most interesting thing about this feature is that, once applied, there is really no way to reverse it, i.e. create a single sign off feature.
50 million Facebook users, had their access tokens compromised and although the tokens were reset, because Facebook does not enforce developer guidelines there is an unknown amount of third-party services and mobile apps that could not be reset. I know it’s easy and convenient, but it is never a good idea to use these types of features, especially when there is really no easy way to reverse the action. Use a password manager (or a passphrase with unique site identifier as suggested in my previous blog post) and create a unique user id and password for each site, it keeps your personal risk level down.