Since Facebook reported last week that hackers had stolen access tokens to almost 50 million accounts, there have been no signs that the perpetrators leaked any user data online or published content on the site without permission.
That’s an encouraging sign, say security experts. “The good news is there’s no evidence that it’s happened, and trust me, everybody’s looking,” Chester Wisniewski, principal research scientist at security firm Sophos, told Fast Company.
But many Facebook users are understandably still concerned about the ramifications of the attack, which could have allowed hackers to siphon off personal data about themselves or their friends, or potentially gain access to third-party sites and apps that support Facebook login. Those services run the gamut from dating services like Tinder and Bumble to streaming services including Spotify and Tidal to e-commerce sites such as Etsy and Airbnb.
“Most of those [thousands of] businesses that are using Facebook login have no clue that they may be at risk, or may have been at risk,” says Dean Nicolls, head of global marketing at identity verification company Jumio.
Again, there’s been no evidence that any such services have actually been compromised, but some companies have taken steps to reassure users. “Spotify has not experienced a security breach,” a spokesperson for the music streaming service said in an emailed statement. “We take the security of our users’ data very seriously and we recognize that many people share login information across various platforms. As a precaution, concerned users can update their Spotify password, or if the account was created through Facebook, the Facebook login via their instructions.”
At the same time, there are some simple steps you can take to keep your Facebook and other accounts more secure from future attacks, in addition to staying vigilant about potential fallout from this one.
Use Secure Passwords and a Trusted Password Manager
Changing passwords is one of several steps experts say concerned users can take in the wake of the breach. Though the complex hack apparently only took digital tokens used to keep users logged in to Facebook–rather than traditional passwords–changing to a new secure password can’t do any harm, and it can give users an opportunity to make sure they’re using a unique, difficult-to-guess password for Facebook and other services.
Using password manager software that securely stores passwords and makes them available across devices is generally also a good idea. They keep passwords in files encrypted with user-specific passwords, which can make them less susceptible to security breaches.
And as password managers have gotten easier to use, they can, in some cases, replace the need for single sign-on services like those provided by Facebook and Google. Some managers can even automatically help you change your password to a secure, randomly generated one on commonly used websites, writes Greg Arnette, technical evangelist at Barracuda Networks, in an email to Fast Company.
“The password manager can also flag accounts where the [passwords] have been re-used,” he writes.
Users who want to switch their account on other services from Facebook login to using a traditional username and password may need to create new accounts in some cases, says Wisniewski. Some services allow switching, but not all do.
Check Your Facebook Settings and Posts
In a blog post last week, Facebook suggested users can visit the “Security and Login” tab within the site’s settings menu. There, they can see a list of any services where they’re signed in with Facebook and sign out of any they’re not using it or no longer want to use it through Facebook login.
Users can also see on which devices they’re logged into Facebook, disconnecting any they don’t recognize or don’t want logged in, says Candid Wueest, principal threat researcher at security firm Symantec. They can also check their recent posts and Facebook messages for any signs that their accounts might have been used in spamming or phishing attacks.
“We recommend that people of course verify the last, say, 10 posts on their timeline,” Wueest says.
People who log in to other services using Facebook can also check any account histories those services offer to make sure their accounts haven’t been used in unauthorized ways.
Enable Two-Factor Authentication and Notifications
Using two-factor authentication, which requires you do something to verify your identity beyond simply entering a password, wouldn’t have protected users from the recent Facebook hack because of the particular vulnerability used. But generally speaking, it can still be a good way to help keep online services like Facebook secure.
Facebook has recently been criticized for allowing phone numbers enabled for text-based two-factor authentication to be used to target ads, but the company also offers the option to use alternative verification methods, including using third-party two-factor authentication apps like Google Authenticator or Authy. Using such apps can also reduce the risk of hackers defeating two-factor login by stealing texts or tricking phone companies into giving them access to other people’s accounts.
Some apps and sites can also provide email or text notifications when you log in to their systems. These can be a nuisance if you sign up for too many of them, but they can also be valuable if you’re concerned about unauthorized access to your accounts.
“You gotta decide how risk-averse you want to be,” says Wisniewski.
Watch for Phishing Scams
As of now, it’s still unclear who is responsible for the mammoth Facebook hack and what data they’ve managed to hold on to. One possibility is that they’ll use it as a source of data for phishing attacks. Clever hackers often research targets so that they can pretend to be their employers, friends, or relatives, and the Facebook attackers could do the same.
Scammers could even falsely claim to have sensitive data from the hack, demanding a ransom in exchange for not releasing it. Which is why it’s always a good idea to remember that most timeless of digital-age adages. “Don’t trust everything you read on the internet,” says Wueest.