Did Facebook just save me from being Pwned?
The recent security breach at Patreon has lead me to like using my Facebook account for things outside Facebook just a little bit more.
An interesting thing happened recently. I’m a member of a website called Patreon. If you haven’t heard of Patreon, it allows you to support content creators with their projects by donating money to them. I use Patreon to contribute to the Daily Tech News Show podcast. Obviously this means Patreon have my details stored in their databases, including some personal details and my payment method. Patreon recently had a security breach that involved user details being posted online, mine included. When I got notification* that my details had been posted to the internet, I was somewhat concerned. The website claimed that their passwords were stored with non-reversible encryption, which was reassuring, but all the same they recommended that everyone change their passwords. Given that my financial information was safe with Paypal, my main concern was my password, and I didn’t want to take any chances with it. What if I’d used that password somewhere else? What if someone was able to use it through Patreon to send money to themselves?
So I got along to the Patreon login page which presented me with two options — Patreon login, or Facebook login. It was then that I remembered I’d used my Facebook account to login. What did that mean? Did it mean I was safe, or that my Facebook account was vulnerable? So after a quick look around the web I came across this notice from Patreon’s CEO, Jack Conte, and in particular the last paragraph which stated:
If you signed up through Facebook, you do not have a Patreon password and no action is necessary
That was great for me, I didn’t have to do anything, my password was safe because it was with Facebook, not Patreon. More importantly though it highlighted one thing. I create passwords at a lot of sites for a lot of things, we all do. I have no idea how some of them store my password and my personal details, or how much they care about security. Certainly, some have even been caught storing passwords in clear text (including some that really should’ve known better)! What I can be fairly confident of though, is that Facebook, the site storing the passwords of a billion users is going to have better hardened security than <insert random internet startup here> does. This time, Facebook has kept my password safe from being published to the internet, and I dare say it’s likely to do so again, as would logging in with a Google or Microsoft account if that were an option (note to Patreon — that should really be an option).
This has caused a bit of an about-face for me on this federated login thing (logging in with your social accounts). I used to think it was a play for Facebook and Google etc. to net yet more of your personal data. Frankly, it probably is, but I’m much happier to let them know I use “Dave’s Cheese Shop” website now. Trading basic and useless personal details like that for better security in an age where website security breaches are a regular occurrence seems like a good way to pay for some peace of mind.
* On a side note, you might be wondering how I got notification of my details being posted to the internet. No Patreon didn’t tell me. They did tell me about the security breach, but they didn’t tell me when the details of that breach turned up online. That particular honour goes to the aptly named Have I been pwned? website. Into which you can enter your email address to see if it’s been part of a website security breach where the data has been posted to the internet, and sign up for notification of that exact occurrence in the future. I signed up earlier in the year, and they told me about the Patreon breach almost immediately after it happened. So with that in mind it might be worth checking your own email addresses using this site, you never know!
Originally published at tmtgping.wordpress.com on October 14, 2015.