Daily BulletinDaily Bulletin

The Conversation

  • Written by Mike Johnstone, Security Researcher, Associate Professor in Resilient Systems, Edith Cowan University
Facebook hack reveals the perils of using a single account to log in to other services

Facebook announced on Friday that its engineering team had discovered a security issue affecting almost 50 million accounts. Due to a flaw in Facebook’s code, hackers were able to take over an account and use it in the same way you would if you had logged into the account with a password.

The company says it has now fixed the problem in its code and reset access tokens for those accounts – along with 40 million other accounts that were vulnerable to the flaw. If you found yourself logged out of your Facebook account last week, it’s likely you were affected.

Read more: Overcoming 'cyber-fatigue' requires users to step up for security

Beyond that, little is known about the extent of the security breach. In its security update, Facebook said:

Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.

What it means

This is not the worst data breach to date. That accolade belongs to the credit bureau Equifax, which had personal data stolen from the accounts of 147 million people. But, unfortunately for Facebook, there are several flow-on effects from the recent hack.

First, the breach may run afoul of the European Union’s General Data Protection Regulation (GDPR), which was introduced in May. Although the GDPR only applies to European citizens, the penalties for data breaches are severe – up to 4% of global turnover per breach.

Read more: Regulating Facebook won't prevent data breaches

Second, any accounts on other platforms that use Facebook verification are also at risk. That’s because it’s now a common practice to use one account as an automatic verification to connect to other platforms, for example by using a Facebook account to log in to another social media platform such as Twitter, Spotify or Instagram. This is known as single sign-on (SSO).

How single sign-on works

If you connect to any system, you need some form of authentication – usually a login credential such as a username and password pair. When you have many different systems that all require credentials before you can use them, suddenly you’re faced with remembering ten different (ideally very long) passwords.

Some people can do this, but many can’t. And we still want the systems to be secure. If we could connect to one system that was trusted by the others, and use the trusted system’s password, then we wouldn’t need ten passwords – just one. That’s the principle behind SSO.

But this only works as long as the trusted system is secure. If it’s not, a cybercriminal could use the hacked account on one platform (in this case, Facebook), to access any other connected platform.

What you should do

Authentication usually works because of one of three factors:

  • something you know, such as a password
  • something you have, such as an access card
  • something you are, such as a fingerprint.

Clearly, using more than one factor increases security. In your Facebook account, you can choose to use two-factor authentication. That means that you would need to enter your password plus a code sent to you via an SMS message when you next log in.

Read more: The age of hacking brings a return to the physical key

The future of verification

There is always a tension between usability and security. People want systems to be secure so that their identities aren’t stolen, and they also want the same systems to be easily accessible. SSO is an attempt to balance usability and security, but the Facebook hack reveals its limitations.

Many people don’t like passwords, so they choose easily remembered, and therefore easily breakable, passwords. Cybercriminals have access to lists of millions of common passwords (hint: “Gandalf” isn’t as unique as you might think).

Access tokens, such as cards or other physical devices (as used by some banks, for example) are a solution – as long as you don’t lose it. It might be that using a unique physical attribute is the best way forward. After all, you always carry your fingerprint, iris or voice with you.

Authors: Mike Johnstone, Security Researcher, Associate Professor in Resilient Systems, Edith Cowan University

Read more http://theconversation.com/facebook-hack-reveals-the-perils-of-using-a-single-account-to-log-in-to-other-services-104227

Why the coronavirus shouldn't stand in the way of the next wage increase


Seeing is believing: how media mythbusting can actually make false beliefs stronger


Scott Morrison's address to the National Press Club


The Conversation


$1.8 billion boost for local government

The Federal Liberal and Nationals Government will deliver a $1.8 billion boost for road and community projects through local governments across Australia.   The package of support will help lo...

Scott Morrison - avatar Scott Morrison

Scott Morrison press conference

PRIME MINISTER: This is a tough day for Australia, a very tough day. Almost 600,000 jobs have been lost, every one of them devastating for those Australians, for their families, for their commun...

Scott Morrison - avatar Scott Morrison


Local economic recovery plans will help towns and regions hit by bushfires get back on their feet as part of a new $650 million package of support from the Morrison Government.   As part of th...

Scott Morrison - avatar Scott Morrison

Business News

How have live chatbots turned beneficial for online businesses?

Every business these days have come up with their online models. While some people still rely on the customer service representatives to handle the queries for their company around the clock through...

Paresh Patil - avatar Paresh Patil

Which Internet Marketing techniques can boost my business?

Internet marketing can be easily defined as various internet techniques that can be used to promote a product or service to all those people who use the internet to visit various websites and social p...

Kamballa Johnson - avatar Kamballa Johnson

3 Top Tips to Hiring Long Distance Movers

Moving doesn’t need to be stressful at all. Find the right moving company to help with your relocation and the whole experience should be what you want out of the move in the first place – a new sta...

Ash Thomson - avatar Ash Thomson

News Company Media Core

Content & Technology Connecting Global Audiences

More Information - Less Opinion