The use of Social Media Identities, have been used for a while now as an alternative to the usual username and passwords traditionally used.
When signing up for a web based service you are presented with a dialogue box asking you to sign in with one of a number of Social Media Identities, such as Facebook, Twitter, LinkedIn, Google or another service. Usually near the bottom of the dialogue box is an option to set up a user id and password.
Its common place now for users to just click one of their identities, to gain immediate access to that site. But how often do they stop and think about what the effect of that is.
Why is this important. Here is a good example:
Recently Spotify have been informing users to change their passwords:
Hi Spotify User
To protect your Spotify account, we’ve reset your password. This is because we believe it may have been compromised during a leak on another service with which you use the same password.
Don’t worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure.
What is happening is that your data is being checked against a hack list and a cross check against their system. This is based more on the email than password.
The bit of information that is missing though is what is the other leak? Is it a recent leak and is this a published or unpublished hack list?
You can use a service such as https://haveibeenpwned.com/ to see if your email address is in a known published list, however it cant check those lists that haven’t been published.
If your Social Account is hacked does that compromise and open up all of those linked services. Most probably.
Some simple steps to follow:
- Don’t link everything to one Social Media Account
- Think about using the traditional username and passwords for some services
- Dont use the same passwords across your Social Media Identities
- Change your passwords on a regular basis
- Follow a good password length and characters (Alpha, Numeric, Special Characters)
- Use an additional layer of security, see: Are you using 2 step logins