I have had better days. I woke up to the sound of a hailstorm beating my bedroom window to a pulp. I saw the weather gods, in a passive aggressive mood, pelt San Francisco with sleet right at the time I go for my early morning walk. And if that was not enough, I had emails from three friends letting me know that my Facebook account had been hacked and hijacked.
I emailed Facebook support, who quickly killed the account after confirming that it was really me who was requesting it be shut off. And then I emailed their PR department to see if other folks were hacked too. After all, if that was the case, it would be a story.
Nope, it was just me who was on the receiving end of the machinations of someone who clearly doesn’t like me — this person emailed TechCrunch Tips, who kindly let me know what had happened.
So much drama! It should have made me very angry — but it didn’t. I was embarrassed because a lot of friends, family and colleagues who make up my Facebook network were now exposed to an impostor. The breach of my account made me take stock of my Facebook usage. It is a lot less than it used to be. And almost always, it is inside the Facebook mobile apps — whether on Blackberry, Android or iPhone.
I scan through the photos of my friends, catch on updates about their babies, their relationship (or lack thereof) statuses and most importantly, birthday dates. I rarely do updates or share links, though I do message people. And I can do these easily and quickly on the mobile apps, thanks to the use of notifications (on my iPhone).
But almost half a day without Facebook has caused an unusual pain — it has made me unable to log into several of the services that use Facebook Connect as a log-in mechanism — like the Bejeweled Blitz and Words Free — two games I absolutely love. Ironically, it was me living inside the future I had envisioned myself.
About two-and-half-years ago, I had pointed out that Facebook Connect was the single biggest move made by Facebook and it was one of the reasons the company would eventually be a winner. It’s essentially a system that enables application and web developers to allow web surfers to sign in to their services using their Facebook identities. Here is what I wrote then:
In addition to offering a simple authentication method, FC allows granular social interactions to be embedded in non-Facebook services. If Facebook can work with its partners to build interesting use-case scenarios that go beyond simple sign-on, it is quite feasible that Facebook can out-execute Google, MySpace and everyone else with its ID ambitions. Why? Because this is their one chance of building a monetization engine.
As a user, having your social self represent you around the web will at first be creepy but ultimately be useful. As one Facebook engineer put it to me today, “Imagine if you had one login for the whole web. That would be so sweet.”
Sweet, or sad. Eighteen hours after no Facebook, I know one thing is for sure — I don’t have access to my favorite casual games to make me feel better.
Om, that’s lousy, and I’m sorry to hear it happened to you.
I’ve been saying for a couple of years that logins via Facebook Connect and other outsource-your-account-management schemes are problematic for exactly this reason, especially for paid web services. As the Q & A page for my own (soon-to-launch) web service says:
“We really don’t want people shut out of their CardVine accounts due to some problem with Facebook. So you have to sign up for CardVine the old-fashioned way and sign in with your CardVine credentials. If your Facebook account ever gets suspended, you’ll be thanking us.”
Ralph
I agree and this is incredibly hard thing for folks to grok because FC is so damn easy. I think we now have more options but people still believe that they are getting a lot more from FC than anything. I today got an app with FC as the only login option. I cannot use it, and now they are pretty much useless and I will not write about them for that specific reasons.
Sorry to hear Om…
Luckily, I’ve never believed in the “one sign-in for all thingy”. Have never wanted to give anyone – say nothing of a company – that much control.
Yup that is a good thing! I am sure I am going to feel the repercussions for a long time
Hi Om, I’m really enjoying your daily emails. Please keep them up. This one is particularly interesting. It’s ironic that one of the sites that has truly benefited from this paradigm was in fact created by the Quora co-founders. I believe the next set to truly take advantage of this is Votizen. Real identities translated online matter and pave a path toward building true online value, all thanks to the ubiquity of Facebook.
Semil
Thanks for the kind words. While this isn’t the newsletter — mostly because dealing with it took my entire day. Anyway I think the real hurdle is when Facebook can build a system where there is security built in, despite the lack of it on the part of their customers.
Anyway back to normal duty on Monday. Gracias.
https://chrome.google.com/webstore/detail/ejpepffjfmamnambagiibghpglaidiec
problems pretty solved. i rarely ever use fb and never play games through fb. never understand why so many give so much to one silo. never a good thing in the long run.
What Geoff said. 🙂
I know you laugh at me sometimes, Om, but since Beacon, Facebook sits in its own browser. Away from my personal email. Away from any online shopping activity. And I never use Facebook connect to sign up for any online service. I may have over 200 and some-odd passwords, but the more I keep things separate, the better I feel about not losing any additional functionality should one of these services go down or get hacked.
Trust no one. 😉
“But a day without Facebook, is quickly making the web unusable.”
I’ve never used Facebook and likely never will, yet the web is quite usable for me.
Fred
We both have different usage behaviors and since I have to write and learn about many more, I get exposed to Facebook connect more often! I think it is a sign of things to come as Facebook connect is becoming pervasive.
Out of curiousity, how did your account get hacked?
KenG
Sorry for slow response. I have no idea how it got hacked :-;
May be while FB was updating its privacy policy somebody searched for you in Bing using IE 6 🙂
Hope you are back on FB now.
I find this Facebook feature powerful too. But your example shows how this crumbles down. But there are many services that provide similar login feature. Twitter, Google, OpenID, Yahoo and I guess there are others.
I for some time was thinking on how you can with your site/service tie all those multiple account on other networks to one account on yours. One thing to win from it is as with Facebook to import contacts but I think if used in right way it can be a security and alternative logins feature just for such cases. Like Google allows for same reasons asks for your mobile phone number so that it could send password changes in case of some problems to you directly.
On the day without Google it’s perfectly possible to find things on the Web (using e.g. Bing). So in fact day without FB is much worse in comparison.
Hi Om,
Every time a major tech media web site (such as GigaOm or TechCrunch) proclaims a single app or website or protocol or technology as a “winner”, my engineer DNA says “single point of failure”. The big lesson here is don’t put all your eggs in one webapp doesn’t matter how compelling the vision that is projected to you by the marketing folks. The only robust architecture for the Internet is one which is based on open interoperable protocols, not on closed proprietary applications.
I wonder how many times someone has to see this before this fundamental truth sinks in.
Hope your account is re-instated soon. And hope you move off the single-point-of-Internet-failure known as Facebook.
Nitin
THey say that convenience is what causes all sorts of problems — this is clearly the case.
Anyway I think you have told me enough times that I listen to it. But I think it is app developers who need to give folks an option more than anything else.
My account will be re-instated but between you and me, I am not likely to invest much in it going forward. If there is an option to use a login method, I am going to stick to an optional one.
It has been a very long day and a very long week.
The solution to this is to have multiple points of signing in for an account. Facebook can be one of the providers in addition to google or yahoo or perhaps even twitter. Thus monopoly problem solved, and risk is also mitigated.
That is why I don’t use Facebook Connect (beside that services have been posting to Facebook when trying it out at the beginning). I am using OpenID where I can and adding two or three different accounts. And if a service only uses Facebook Connect it has to be very compelling to try it. But there is no site I use regulary where I am forced to use Facebook Connect. It is very convenient but I also saw it causing all sort of problems for people.
One of the BCP for RPs is to allow more than one OpenID to be associated with a single service account. This particular event suggests that Apps that use FC should also do the same.
You can ask Facebook to SMS/email you whenever your account is accessed from a “new” device. This does not protect from hacking; but at least you will be immediately notified and you can take some precautionary steps.
Great read as always. Just FYI it’s “thereof” and not “there off”. 🙂
Also, FWIW three friends over the course of a month have notified me and their network to say their respective accounts had been hacked. It’s a problem.
T.barnes
Thanks for the comment and sharing information about your friends getting hacked!
Sorry to hear that Om. Might consider:
There is not only the problem of a single point of failure there is also the the problem of to many moving parts. In other words weigh your options carefully. I think there is no one size fits all, but in case of a “public” figure, diversification might be good thing. I think Ken Thompson once pointed out you can not trust your own application if you haven’t analysed the compiler code with which your app is generated and that’s just the SW site of the picture.
Now to rub it in: What does TechCrunch now know we do not know? 🙂
Dude, your only two examples are silly games. Can’t you come up with something a little harder hitting than that? Off the top of my head, none of the major sites I use require Facebook logins: Amazon, Google, Twitter, New York Times, L.A. Times, ESPN, even your site. Your premise is interesting but it you’re making it sounds as if it’s already become a reality, rather than what it is — a vague possibility.
Facebook, manorama, dipika, Engadget & Other time waster blogs are the reason why productivity is so low at workplaces.
Google’s latest search algorithm is also not helping in finding what i am looking for / what i need.
I am waiting for the ‘next big thing’ that helps productivity and makes life a bit easier (for everyone rich and poor)….
Efficient cars, batteries, motors, lights etc may be perhaps next best thing… (121$/barrel is just too much to be dependent on Oil)… it’s the root cause of all wars these days 😉
Oh, I am sorry for your facebook loss. (gosh.. there is no comment edit !)
As online identities get more valuable, it’s becoming increasingly important to safeguard them from being hacked. A little known security feature for Facebook accounts is the ability to receive an SMS notification whenever your Facebook account is accessed from a new device or application. If you had this feature enabled on your account, you would have been able to immediately take action to block the hacker from accessing your Facebook account and to recover your account.
Another feature is the ability to login to Facebook with a One Time Password (OTP) that is sent via SMS to your cell phone. Logging in with an OTP rather than your real password makes sense when you’re using a untrusted PC that might have a keylogger monitoring your keystrokes, like at an Internet Cafe.
Google users have the ability to lock down their GMail and Google OpenID accounts by requiring both the Google Password and an OTP sent to the user’s cell phone to login. Google users who have this feature enabled are pretty well protected since the attacker will need to steal both the user’s Google Password and the user’s cell phone to login.
The ability to reuse an existing online identity at multiple sites is getting more popular – not just for the convenience of streamlining the login/registration flow, but because rich online identities like Facebook/Twitter/OpenID have valuable data (profile, social graph, reputation) and services (social syndication, sharing) that greatly enrich the experience for both the user and the publisher relative to registering and logging in the old fashioned way with a local account and password.
I expect to see more and more sites and applications accept 3rd party logins – which will make it even more important to find ways to protect and safeguard these accounts.
The web is usable without facebook connect. Since I don’t even use facebook itself, then facebook connect doesn’t factor in. I use twitter, but i avoid signing into any service using twitter oAuth.
Sorry to hear about the problems, Om. You raise a very serious aspect about online security.
Because Facebook Connect as as our authentication to other services, all of those are also compromised should our Facebook account be hacked.
As we see Facebook and other services move more into virtual goods, credit systems and online payments, those compromised accounts are looking pretty lucrative.
Maybe you should be glad the spammers just used your account to send spam. It could have been much worse.
Facebook Connect’s a handy tool, but we need to be careful of how we use it.
I got a FB account a couple of years ago as an experiment for keeping in touch with local community. Over the months my FB network expanded well beyond the original group I intended. I have never been happy with Facebook’s promiscuity and have used it less and less for any communication except publicizing community events.
A few weeks ago, I thoughtlessly used my FB ID to authenticate to a new service and to my dismay exposed my entire FB network to a promotional message from that service.
I will never again use FC and my use of FB will remain very limited.
As far as I’m concerned email, targeted mailing lists and purpose-specific groups are a more effective way to reach particular audiences.
I can easily live without FB and it’s sophomoric narcissism and expect it will soon plateau and even fade away as users discover alternative less compromising ways to maintain social networks.
I can’t imagine being that dependent on Facebook. I started my FB account back in late 2004 and permanently deleted it last November and haven’t noticed the least bit of inconvenience from it.
Om,
I can understand what you are going through! I have had some similar near death (in terms of spending time online) experiences, but nothing to the extent of the account being disabled. hope its reinstated soon.
I propose a solution, and probably you could publicize it 😉
I am a Flickr user, and I use it with my google login. And I am also liable to similar lockout from my Flickr account should my google account get compromised. I am ready to connect Facebook (and twitter if they come up with twitter too) to the same account. If only Flickr (and any other website/service that identifies and authenticates a user) took some pains to tie up my Facebook, Google and Twitter identities to one account, this problem wouldn’t exist!
Although I am one among the pro-privacy people, I agree that Facebook connect makes (online) life extremely simple!
Wish people websites or web service providers started connecting the dots and tie up all the online identities so that if my Facebook account goes down, I can use my twitter login to use the same app/website/etc
You wouldn’t give control of your identity to someone in real life (at least with major regulation), so you sure as he’ll shouldn’t do it on the Internet where everything is indexed and persistent. When will people wake up?
Hello Om,
I see a lot of people recently using their FaceBook or Twitter accounts to log into dozens of other sites. It is a risk most people are not really aware of. Thank you for posting your experience here.
I can only suggest to use unique credentials to every site and service. There are great products to create, store and enter secure passwords that are convenient to use: 1password (http://agilewebsolutions.com/onepassword) or RoboForm (http://www.roboform.com/).
Roberto,
I am not sure if you are referring to Facebook connect and Twitter logins used on third party websites or if you are referring to entering the user credentials on a third party website.
If its the former, I must say your understanding of how FBConnect and Twitter Login work on third party websites and applications. Most websits I log in to using FB or Twitter, either never ask for my credentials, or if they do (like Flickr), I enter the credentials on the first party website (Google or Facebook), which identifies and authenticates me and returns me to my Flickr user page. At no point am I giving away my google credentials to Flickr.
If its the latter: Never mind. There are many companies that ask for your gmail login to scrape through the contacts list and spam them about the new service, in which case your approach is ideal.
Yikes – not fun Om!
While FC is certainly convenient it is a nightmare from a security point of view, so I avoid it.
FB means different things to different people. My usage has dropped from a few times a day to once a week over the past two years. I only include people I know and most of them are acquaintances. My close friends (probably about 10 people) are not members or are infrequent users and we use other communication modes to keep in touch. It has become an important Christmas card substitute for me – a way of seeing the presence of relatives and acquaintances on a weekly or monthly basis.
Maybe it’s just me, but I’d never use my FB credentials to log into another site. I simply don’t believe FB is secure enough. I think I’ve used MS’s login for multiple sites, but even then, I think they were all MS sites.
Besides, I don’t really want every site to know what my FB account or vice versa.
See this is the thing that every single person I talk to about facebook says. We all say that we don’t need it and use it less and less and only go there for photos and friends and I am exactly the same. What it has done with connect and is starting to do with improved messaging and things like places and deals is start to have more services that you just can not live without. Same with the Like button for publishers. They hooked us all with the simple social stuff but are expanding out from there!
Pl change to https instead of http for FB. (Account/Account Settings/Account Security). Then FB is important for your life, add the additional “new computer” thing right after https in the same option – it will email if a new computer is accessing your account!
We’ve been slow to add FC to Raffle.it, staying for now with a standard simple sign up. The worry was more about what information we actually get access to (although I believe this has recently increased). Hadn’t ever considered the impact of players not having access to their FB accounts! Crazy really as another business I’m a director of is SocialSafe – the Facebook/Twitter backup tool!! A bit barn-door-horse-bolted but if you haven’t yet checked SocialSafe I’d love to send you a pro copy so you can at least have all your friends & content safe – won’t help with your FC services mind.
Stopped using FC after learning how much my connections to FB were really just playing to their monetization strategy and not necessarily to my benefit. This story of FC as a single point of failure is another good reason not to be using FC .. as easy as it is …
Over the weekend, my 14 year old tells me that he never uses FB … thought my 16 year old still does … is FB going to fade for the next gen? I think so.
Ahhh, Facebook, its like putting all your eggs in one crappy basket.
If you cant use the web without Facebook, you are doing it wrong.
Seems like the hacker is targeting popular bloggers. One Amit Agarwal of India faced the same situation barely 4 days before.
Who’s on the hit-list?.
Dont know why off-lately many prominent FB accounts are hacked.
Amit Agarwal owner of Digital Inspiration FB account was also hacked
http://www.labnol.org/internet/facebook-account-hacked/18748/
hey this happened with me also..There was no backup of managing my facebook account..:(
hey was just passing by and saw your article … i am in the this hot water too. My facebook was disable without warning too. how could this have happen ? anyway do your have any other e-mail i could summit an appeal besides the usual one ?
I really need all the help i could get … thanks ahead