Published: August 14, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
When you go to your Facebook login page, you’re likely to see a pop-up window asking if you’d rather sign-in using your Google account credentials. It’s hard to resist…it’s easy, convenient, and you don’t have those pesky password problems. But is that little window there simply for convenience or is there more to it? A security researcher found there’s a lot more to it. That is, using Gmail to sign into your Facebook account can get your account and credentials stolen.
Accounts get linked via Google OAuth, short for “Open Authorization.” And it’s not just Google using this service. Microsoft and Amazon do the same for their users’ convenience. OAuth connects accounts to third-party websites. Doing so uses the same password and username for the shared apps, a risky move.
According to a Malwarebytes Labs Malware Intelligence Researcher, “Linked accounts were invented to make logging in easier…You can use one account to log in to other apps, sites and services. All you need to do to access the account is confirm that the account is yours.”
Once inside a hijacked Facebook account, bad actors can spread malware, steal PII that includes banking, credit cards and other financial data, and post anything they like on the compromised account, including spreading disinformation.
On using Google to sign into your Facebook account, or using any other credentials to sign into your accounts, it is never recommended. If someone manages to steal your login credentials for one, they have them for the other. On that note, some tips for keeping social media and other accounts from password-compromise and unauthorized hacker access are noted below.
Don’t store passwords in your browser as they’re not known for strong security. Should Google or another browser you choose get hacked into, cybercriminals know that every password stored there is now theirs.
Check your Facebook “Settings and Privacy” for other devices that may also have logged in to your account. If you find anything unusual, change your Facebook password immediately. Also, purge old or other devices from your account that are no longer being used.
The “Security and Login” page Facebook provides will show if you have the Facebook Protect option. If so, use it and Facebook will take you through your security settings and make recommendations to improve them.
Password managers create unique passwords for all accounts. However, before you choose this route, know that if your password manager is compromised, so too are all the passwords it holds. Weigh your “risk vs. reward” very carefully before making this decision.
Always use MFA (multi-factor-authentication) when available. This way, the identity authentication MFA provides can keep hackers out of your account. It’s quick, easy, and there’s no reason not to use it.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com