top of page

100’s Of Millions Have Identities Stolen Using OAuth. How To Avoid It

Published: December 25, 2023 on our newsletter Security Fraud News & Alerts Newsletter.

You may be using Open Authorization (OAuth) to log into your accounts and not know it. You should also know OAuth when you see it since hundreds of millions of its users, some who knew they were using it and some who didn’t, found themselves drowning in identity-related cybercrimes. Accounts were overtaken, identities stolen, and financial crimes ran rampant. As a result, using secure logins instead of OAuth can keep you from the identity nightmares many millions found themselves in.

Oh, I’ve Seen That!

The way to spot OAuth at work is when you see a pop-up with the “Log in with…” to use your Google, Facebook, or another account for your login or when using Instagram, the “post to Facebook,” option is enabled. OAuth is behind the scenes powering those options and if done properly, it hides your password. However, it’s been discovered that many are configured incorrectly and that puts your login credentials at risk. Most would agree it’s easier to choose the quick OAuth option instead of entering yet another unique username and password. BUT, like the millions who also chose OAuth to verify their identity, you too could find yourself drowning in credential theft.

Researchers from Salt Labs discovered OAuth credential leaks with several websites including Grammarly, the AI-fueled writing help site, Bukalapak e-commerce platform, and Vidio streaming platform. Salt Labs had previously found OAuth problems with the travel website that could also involve its associated website, All these findings lead Salt Labs researchers to believe other websites offering OAuth logins and their countless users could be affected but not yet discovered.

The Secure Login Choice

Until individual websites fix the way OAuth is configured, going “old school” is the still the most secure login option. It may not be the fastest, but it’s the safest. Remember, always create a secure login username along with a unique, fortified password. Passwords should be a minimum of eight characters with a mix of upper- and lower-case letters, symbols, and numbers.

Always pair your secure login credentials with an added layer of identity verification like an OTP (one-time password) or 2FA (two-factor authentication) code sent via text or email. Consider using a password manager to store your credentials, but know if your password manager gets compromised, so do all the passwords stored there.

Identity theft is a tragic event and digging yourself out is a long and expensive road. Even the most basic things we do, like logging into accounts, can determine how securely travel online. So, start safely using secure usernames and passwords, and add OTP or 2FA as added identity verification. It’s a very basic but most important way to begin your online travels.

Want to schedule a conversation? Please email us at


bottom of page