On Tuesday I changed my Facebook password for the first time in forever. I literally hadn’t changed my Facebook password ever before, and I’ve been on Facebook for seven years. I also used my Facebook password on other services as well.
I assumed that I would be okay because I use two-factor authentication for Facebook, and so this wasn’t one of the passwords that I changed at the weekend. However, Facebook alerted me to some ‘unusual activity’ on my account which I didn’t recognise, so it forced me to set a new password. I duly created one of my standard 24 character passwords in 1Password and went with that.
As well as having to sign in again on my iPhone, iPad, and on desktop machines, Facebook also reset OAuth credentials for all third-party apps that use my account. The main ones that I’ve had to re-link are Timehop and Sunrise which need regular access. The Jetpack plugin for WordPress also needed re-connecting to Facebook, which was a little more involved; I kept getting error -10520 until I completely disconnected Jetpack from wordpress.com, re-connected it, and then connected to Facebook. And IFTTT emailed me to re-authenticate as well.
Facebook was one of the web sites that was identified as being susceptible to the Heartbleed bug so it could be that someone got hold of my password that way. I’ll never know for sure, and it could have been something that I did, but as the location of the login attempt was listed as being somewhere in London I decided to err on the safe side. I’ve also had a similar notification from Yahoo!, where someone in California attempted to access my account (which has a much stronger password) so that has been reset this week.
Worryingly, I probably would not have known about either incident had it not been for me enabling two-factor authentication – I was only notified because the attackers (if they were attackers) where thwarted when asked for codes. As my email address is public knowledge, then on services where two factor authentication isn’t available, all an attacker needs to do is guess my password. And whilst I choose very strong passwords, if an attacker is able to capture my password from somewhere then on most web sites they will have no problems getting in. Thankfully, most of the really important sites that I use have two-factor authentication available – Tumblr being the latest one that I’ve activated.
Mumsnet has already fallen victim to Heartbleed with one of its founders getting hacked – thankfully by someone without major malicious intent. I expect more sites will come under attack as time goes on – especially over the Easter weekend when fewer staff will be around to sort out server issues.