Facebook revealed Friday that it had been subject to a breach it discovered three days prior. An unknown hacker compromised 50 million accounts by stringing together a chain of software bugs that ultimately enabled the culprit to steal people’s so-called app access tokens. These tokens allow users to remain logged in, skipping the hassle of repeated password re-entry. Anyone in possession of another person’s token gains the ability to hijack that person’s profile.
In other words, Facebook faced, by its own estimation, 50 million potential account takeovers. What makes the situation worse is that these tokens can provide access to other linked services: Instagram, news sites, games, etc. Anything to which people have connected via a Facebook login could have been vulnerable. Contagion, networked.
The exploit was ironic. Facebook’s “view as” feature, a tool ostensibly designed for privacy purposes—that is, to let users check how their profile appears to other people—accidentally acted as a data sieve. While viewing one’s profile “as someone else,” an attacker could trigger a buggy video uploader through a mechanism intended to let people wish one another “happy birthday.” Accessed this way, the video uploader—containing flawed code since July 2017—served up a log-in token for that “someone else,” rather than for the true viewer. By impersonating targets through “view as,” an attacker could reap tokens galore.
Here’s a rule I live by: Never—or mostly never—use a social media login to access other online services. (I make a few exceptions for news aggregators connected to Twitter.) At the time of writing this column, only one service had access to my Facebook profile. I have since revoked its permission. (Sorry, Scribd.)
To review which services are connected to your Facebook account, take the following steps. Visit “Settings,” then click “Apps and Websites.” You can manage permissions here. If you’re worried about having to remember myriad passwords, use password management software.
Remember: every linkage is a potential point of vulnerability. Cybersecurity professionals call this concept network segmentation, and it is one of their fundamental principles.
A number of readers alerted me that a link I included in my last essay about credit freezes was broken. I regret the error. Here are the correct links: Equifax (phone number: 1-800-685-1111), Experian (1-888-397-3742), TransUnion (1-888-909-8872). Happy freezing.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.