The guide explains the following security concepts on Facebook:

• Protect your Facebook account
• Avoid the scammers
• Use advanced security settings
• Recover a hacked Facebook account
• Stop imposters

Protect your Facebook account

This short guide offers two tips. First it recommends to use a good password. The interesting part here is that Facebook recommends to use the password manager KeePass Password Safe to users who have troubles remembering their Facebook login details.

The second tip is to always log out properly after a Facebook session.

Avoid the scammers

This part begins with a definition of scammers, and what they do on Facebook. It is very basic but a good read for users who are not familiar with the concept.

The “Scammers who target Facebook” part on the next page is more helpful. It displays two examples of how scams look like on Facebook and ends with tips on how to avoid clickjacking, malicious script scams and Facebook account thieves (due to phishing).

Using advanced security settings

Several security concepts and information are provided in this chapter. This includes information about secure browsing and how to enable a secure connection on Facebook, the use of one-time passwords with the help of a smartphone or mobile phone and monitoring account activity.

Recovering a hacked Facebook account

Facebook has guidelines on hacked accounts. The firs thing that users need to do is to go to http://www.facebook.com/hacked/ to secure their account. The account will be temporarily locked and the user who initiated the lockdown will have to provide account-specific information to regain control.

The top tips for staying secure on Facebook offer additional tips to stay secure, for instance to use add-ons like Web of Trust or NoScript (!) in Firefox to protect the account.

I’m a bit surprised to see the guide mention both my password manager KeePass and my favorite Firefox security add-on NoScript. That alone makes the guide stick out from the usual “security guides” on network sites that you find on the Internet. So, great read for users who want to understand some of the security concepts on Facebook.

I recommend you check it out, or send the link to the document to friends, family or colleagues who need to freshen up in this regard. [link, via]

This short guide lists the important changes and some general tips to improve a Facebook account’s security and login.

Facebook Account Hardening

Most security features on Facebook deal with the log in on the site. This is where we start as well.

• Facebook password: Make sure you use a secure password on Facebook. Best passwords are made up of a combination of letters, numbers and special characters. It is suggested to use at least 14 characters, the more the better. Make sure that you do not use dictionary words, names or other terms that can be associated with you.

To change your password do the following: Click Account on the upper right and select Account Settings from the menu.

Locate Password under the Settings tab and click the change link on the right of it. A form opens on the same page where you need to enter your old password and the new password. A click on Change Password completes the process so that the new password will be the valid password from that moment on. You will be logged of all computers when you change the password.

• Security Question: The security question and answer are used by Facebook to identify the account owner, for instance when you contact them because you do not have access to your account anymore. It is important to select a question and answer that only you can answer. Remember that you can add any answer that you want. Instead of answering “What was the last name of your first grade teach” with Mrs. Smith, you could instead use characters from your ID card, driver’s license or a phrase that you can remember well.

You can change the Security Questions under Account Settings as well. Just select change next to Security Question this time.

• Secure Browsing (https): You can open Facebook by loading http://www.facebook.com/ and https://www.facebook.com/. The difference? The HTTPS variant is more secure, as it uses encryption which blocks access to spy on your network traffic. That’s for instance helpful if you connect to the site from a public computer or wireless network.
• Login Notifications: You can enable this option to receive emails whenever someone logs in to your Facebook account from an unrecognized computer.
• Facebook Login Approvals: This new feature improves security by linking the Facebook account to your mobile phone number. Facebook sends a pin to the linked mobile phone whenever someone tries to log in from an unrecognized computer. You need to add your mobile phone number to Facebook before you can make use of that feature.

You can configure all three options under Account Settings. Locate Account Security there and click the change button to see the following configuration options.

It is suggested to enable all three, unless you do not want to add your mobile phone to Facebook. Enable the first two (secure browsing and login notification) then.

Is there anything else that you do to keep your Facebook login and account secure? Let us know in the comments.

PayPal for instance is offering VeriSign ID Protection devices that act as a second layer of authentication. Google recently introduced two-step verification for Google accounts as well.

The company confirmed today on the official Facebook blog that the feature has been rolled out to all Facebook users. Every Facebook user has now the option to enable two factor authentication on Facebook. The protection is called Facebook Login Approvals, and designed to add a second layer of protection to the log in process on the social networking site.

Facebook users can enable the new security feature under Account > Account Settings > Account Security.

This launches a wizard that guides the user through the activation of the security service. Login Approvals works in the following way:

You link a mobile phone number to your Facebook account. This mobile phone number receives a code via SMS whenever someone with the correct username and password tries to log in from an unauthorized computer.

This means that you do not get a code when you log in from your home computer. Attackers do not get to see the code either when they do not enter the right login credentials.

The only two scenarios where the code is displayed are unauthorized login attemps by attackers who have your username and password, and first time log ins on new computer systems or devices.

Facebook users will furthermore be notified of log in attempts from unauthorized computer systems. An unsuccessful attempt usually means that someone else is in possession of a user’s Facebook username and password. Users get options to change their account password right away to protect their account further.

Back to the configuration. Codes are currently only send to mobile phones via SMS. This means that you need to add at least one mobile phone number to your Facebook account.

Users who have not done that already are asked to add a mobile phone number to their account to complete the Login Approvals setup.

It is afterwards necessary to confirm the phone by entering a code that is send to it by Facebook. The mobile phone number and Facebook account are from that moment on linked.

What happens if you lose your phone? You still have the option to log in from computer systems that have been authorized previously.

Facebook users who want to add an extra layer of protection to their account should consider enabling login approvals. Some users may not want to add a mobile phone number to their Facebook account on the other hand. There is unfortunately no way around this currently if you want to make use of Login Approvals. (via Facebook Login Approvals)

If you thought that’s all for this month, then you have been wrong. Symantec yesterday revealed that they uncovered an access vulnerability on Facebook which may date back to 2007.

Facebook applications, in certain cases, leaked access tokens to third parties. Access tokens are used by applications to act on behalf of the user, for instance by posting to the user’s wall. With those access tokens at their disposal, advertisers and companies were theoretically able to perform operations on the user’s behalf, which could include accessing friend’s profiles, even if they are blocked from the public, posting to a user’s wall, chats or photos.

Symantec estimates that close to 100,000 Facebook applications leak those access token. Third party applications were introduced by Facebook in 2007, and Symantec estimates that the vulnerability has been there from day one.

According to Symantec, it is unlikely that companies have discovered the vulnerability, which makes exploitation unlikely but not impossible.

Facebook seems to have fixed the access vulnerability in the meantime. That does not mean that Facebook accounts are safe right away, considering that access tokens do not expire right away.

Most access tokens expire after some time. Applications can however request offline access during installation which sets an access token that does not expire on its own. The only way around this is to invalidate that access token by changing the account password.

Facebook recently announced the migration to OAUTH 2.0 for all applications. Application developers have until September 1 to change the authentication scheme of their applications to OAUTH 2.0.

It may be a good time to change your Facebook password if you are using or have used third party applications on Facebook.

Melanies take

Once Again, You May Be Sharing More Than You Intended on Facebook

Facebook’s privacy record hasn’t exactly been stellar. In the past, however, the negative press Facebook has received over its privacy fiascos has been due to a changed setting or a policy switch. Now, though, Facebook is once again under fire, this time due to leaky security.

In the past, Facebook has been criticized because of its attitude toward privacy. It is increasingly obvious that Facebook’s intent is to make sure as many people share as much as is possible. There has been a noticeable shift over the past five years. In the beginning, Facebook made your personal information private and under your control by default. Now, all of your data is as wide open as it can be by default. If you want to make your data more private, it isn’t quite as easy as one, two, and three. For the average user, it is difficult to navigate your way through the pages of privacy settings.

To be fair to Facebook, this time, the problem wasn’t a deliberate attempt to make more of your personal data public. It is an accidental leak of your data to third parties.

You know those apps that are so popular? The ones that add functionality to the Facebook ecosystem for everything from games to shopping? Well, according to security firm Symantec, it turns out that since Facebook apps were introduced in 2007, they’ve been leaking your information to third parties.

The leak involves access tokens. These are given to the apps you use so that they can access your user data. The apps need them to access and post on your wall, see your friends’ profiles, and see the personal information they need to function. Symantec says that by accident, over 100 thousand applications may have leaked millions of access tokens to third parties.

Facebook reassures its users that there have been no negative consequences of the potentially leaked user information, and that no private data has been leaked to third parties. Symantec notes that although it’s possible third parties didn’t even know they could access the information, the repercussions of the leak could be extensive.

Symantec made Facebook aware of the problem in mid April, and Facebook said that as of Tuesday there was no longer an issue, and the leak had been fixed.
This isn’t the first time Facebook has learned that apps might be sharing info with third parties, intentionally or not. Last fall, Facebook suspended some apps for doing exactly that.

Facebook, once again, might have been sharing more of your data with people you don’t necessarily want to see it. At least this time it’s by accident, and it’s something that can be fixed. Still it’s yet one less reason to trust Facebook’s privacy.

Is the Facebook privacy issue a big one for you? Do you consider your data yours, or are you of the opinion that if you’re sharing something online, it’s in public anyway? What are your thoughts?

Two-Factor Authentication is being rolled out at the moment which means that the new feature is not available for all accounts yet.

What we know at this point is that it is turned off by default which means that users need to turn it on before it becomes available. This is similar to the always use HTTPS feature that was introduced earlier this year by Facebook.

It is likely that Two-Factor Authentication will become available under Account Security in the Facebook Settings, just like Secure Browsing (https) did earlier this year.

The blog post over at the official Facebook blog is vague about the new feature.

If you turn this new feature on, we’ll ask you to enter a code anytime you try to log into Facebook from a new device

This is a core difference to Google’s 2-Factor Authentication which stays active once it has been enabled for an account. Facebook’s Two-Factor Authentication on the other hand will only ask for the second code if a user tries to log in from a new device or computer which makes the protection a lot weaker.

Sites like The Next Web are reporting that the feature is similar to Google’s Two-step verification which it clearly is not, except for the fact that both systems ask the user to enter two codes to log in.

The blog post mentions additional improvements, including a switch back to HTTPS if you use an application that connects via plain http.

The remaining improvements concern family and online safety, more than they do security. A new social reporting tool has been revealed “that allows people to notify a member of their community, in addition to Facebook, when they see something they don’t like”.

Two-Factor Authentication is a step in the right direction, but Facebook users should have options to enable it for all logins on the social networking site, not only for log ins from new devices or computers, (via Caschy)

Enabling secure browsing for an account ensures that data cannot be monitored by other users of the network or the ISP. That’s especially useful when public computers or networks are used to connect to Facebook.

The new option is gradually rolled out in the coming weeks. Users find it under Account Settings > Account Security. They need to check “Browse Facebook on a secure connection (https) whenever possible” under Secure Browsing (https).

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the “Account Security” section of the Account Settings page.

There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We’ll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.

Social Authentication is currently tested on Facebook. Facebook sometimes displays captchas when account irregularities are detected. Text captchas are highly problematic for a number of reasons. They are at times hard to decipher and only protect against some computer based attacks. Human attackers on the other hand are not kept away, as they can solve the captchas as easily as the account holder.

Social Authentication changes the captchas. Instead of displaying random hard to read text, they show friends of the user and options to identify those friends. While that is still not impossible to answer by attackers, it does pose a greater challenge than text captchas.

Many sites around the web use a type of challenge-response test called a captcha in their registration or purchasing flows. The purpose of this test is to verify that you are a human being and not a computer trying to game the system. Traditional captchas have a number of limitations including being (at times) incredibly hard to decipher and, since they are only meant to defend against attacks by computers, vulnerable to human hackers.

Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don’t know who your friends are.

We will continue to test social authentication and gather feedback from you and the security community on how to make this and other social features safe and useful.

What’s your take on the new security improvements? (via)

Probably the most important information from a Facebook user perspective is the integration of a user’s address and mobile phone number as part of the User Graph object. It basically means that application developers can now request permission to access the user’s contact information on Facebook.

If a Facebook app requests the information they are displayed on the request for permission prompt. It reads “Access my contact information, Current Address and Mobile Phone Number”.

Users who allow access basically hand over their address and mobile phone number, if they have added the data to their Facebook account.

Active Facebook users see those prompts on a regular basis, and it is likely that the majority clicks on the Allow button without reading the permission request first to play the game or access the app.

Rogue apps can exploit the issue to gather addresses and phone numbers next to basic information such as the user’s name. With those information available spammers could send personalized SMS spam messages, phishing SMS or use the information for Identity Theft.

Facebook users have a few options at hand to protect their data. Those who do not play games or apps do not need to change anything as it is currently not possible to request permission to access the address and mobile phone number of friends currently.

Users who play games or use apps may want to consider changing or removing mobile phone and address information from Facebook. This way, they can grant access without revealing the information.

Considering that the information are sensitive, it would have been better if Facebook would have added an option to request the data manually from the user instead. A simple prompt asking the user to enter the mobile phone number or address would certainly be more acceptable to the majority of users. It would have the additional benefit of making the Facebook user aware of the request since it would mean that the user had to enter data in a form manually.

Have you added your mobile phone number and / or address to your Facebook account? What’s your take on the latest change? (via)

Name New Computer. To add this computer to your list of trusted devices, please give it a name (ex: Home, Work, Public Library, Science Lab). After you name this computer, you’ll receive a notification to confirm that you logged in from here.

A click on Why am I seeing this reveals additional information:

Why am I seeing this? In your account security settings, you opted to receive notifications whenever a new computer or mobile device accesses your Facebook account. After you name this computer, you’ll receive a notification confirming that you logged in from here.

While that does sound reasonable enough, it raises the question why I’m seeing the Name New Computer (previously know as Register this computer) page whenever I log in from the same computer. This should not be the case, considering that I have checked the Don’t ask me again from this computer box.

No information are posted on the page how Facebook determines if a new computer is used to log into the social networking site. My guess is that they use a computer’s IP address and / or cookies to determine that. Which in turn means trouble for all users who get a dynamic IP address every time they log on to the Internet.

What are the options to get rid of the notification screen? Probably the most convenient option is to disable Facebook login notifications. This gets rid of the Name New Computer screen on log on.

Some users may argue that this reduces the account security on Facebook. That is true, but only if the user has enabled SMS or email notifications whenever a new PC or mobile device logs into the Facebook account.

If that option is disabled it does not change the account security at all. Why? Because it is possible to remove devices that previously logged in in the account settings. A new Pc or mobile device would only be added if another person got access to the Facebook account, which in turn means that the person is able to remove the device used to log in from the settings.

To turn off login notifications click on Account > Account Settings > Account Security. Simply click on Off next to Login Notifications and then Save to save the new setting. Log ins will no longer be recorded from that moment on.

Is there another option? If it is indeed IP based you could use a VPN or proxy server to always use the same IP when logging in. But that’s likely something that only a minority of users have access to.

Have you had troubles with the name new computer dialog on Facebook? How did you cope with them?

Facebook yesterday introduced a similar feature that they call one-time passwords. But instead of having to visit the Facebook page to request the one-time password, Facebook users need to send the text “otp” to 32665 on their mobile phone. They then receive the password that they can use to login on Facebook. The password is only valid for one login, and will expire automatically after 20 minutes.

According to the announcement post, this feature is rolled out gradually. We are not sure at this point if this will be a US feature for now, or if this option is available globally.

There are also no information on the costs of sending and receiving the one-time password to login.

The second improvement has been available to some users for some time already, but is now available to all Facebook users. All Facebook users have now the option to see all active Facebook sessions, with the ability to end remote sessions.

This can be helpful in numerous situations. Maybe you have logged into Facebook in the library to check your account and forgot to log out. With account activity it is now possible to log out so that no one else can access the data in the account.

But this is also helpful if someone else managed to get unauthorized access to the account. The first step would be to log them out, and then change the password to protect the account and avoid this from happening again. Then again, they may do the same so you better hurry and know what you are doing.

In addition to that, Facebook will from now on display prompts after the log in, that ask the user to check and edit security information. Recently we have been asked to name the computer that we were working on for instance.

The blog post on Facebook does not address some questions that users may have, for instance if the one-time password option is available internationally, how much users will be charged for the request or when it is available to them.

Facebook users do need to make sure that they have the mobile phone number linked to their account, before they can start requested one-time passwords to log in.

The problems boil down to the large number of privacy related settings and the ever changing nature of the network which intentionally or unintentionally makes privacy a complicated matter for users of all experience levels.

Reclaim Privacy have created a bookmarklet that can scan a Facebook account to evaluate the privacy settings. The bookmarklet is easy to use which is a big advantage these days.

All that Facebook users need to do is to drag the bookmarklet to their bookmarks to have it at hand when needed. They then need to visit Facebook and log in as usual.

Once they are in their account they can click the bookmarklet to initiate the privacy scan.

The scan will perform six different checks:

• If the Facebook user opted out of the Instant Personalization feature
• If the personal information are restricted to friends or closer
• If the contact information are restricted to friends or closer
• If all friends, tags and connections information are restricted to friends or closer
• Friends are protected from accidentally sharing personal information
• That all applications that could leak personal information are blocked.

A results listing is displayed on top of the Facebook page indicating the privacy level of the six checks.

If you want to check your Facebook Privacy settings visit Reclaim Privacy for the bookmarklet.

Many Facebook users do not know that Facebook has an option to notify account owners about logins from other computer systems and mobile devices.

While this does not prevent the other user from logging in it gives the actual account owner information at hand to react immediately to prevent further damages.

Every Facebook user can configure the account to include that notification of unauthorized access.

Here is how you can configure your account. Open the Facebook homepage and log into your account. Click the Account link in the upper right corner of the screen and then account settings in the context menu.

This opens the My Account configuration menu. Locate the Account Security setting under the settings tab.

Click on the change link on the right of Account Security to display the options directly on the same page. The setting reads:

To help keep your Facebook account as safe as possible, we can notify you when your account is accessed from a computer or mobile device that you haven’t used before.

The default value is set to no. Select yes and submit to activate the notifications.

Make sure to log out and in again as you are asked to register the current computer system with Facebook on the next login to the social network.

Please take a moment to register this computer by choosing a name you’ll remember later. You’ll receive a notification confirming that you registered and logged in from here. Please note that if you clear your cookies you may need to reregister this computer.

It is suggested to select Don’t ask me again from this computer if the computer is not a public computer (e.g. library or school).

You will receive email notifications whenever a user logs into your Facebook account from a non-registered computer or from a computer where the don’t ask me again checkbox was not checked. (via Troublefixers)

It is ironic that Facebook’s privacy preview feature was used to access the chat and private information of other Facebook users.

All it apparently took to view the live chat for instance was to enter the friend’s name in the “Preview how your profile appears to a specific person:” field to access it. That’s almost to good to be true.

Facebook’s first response was to pull live chat from the site with the promise to bring it back when the privacy hole has been fixed.

For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.

Both privacy problems seem to have been fixed by now. Chat is available again on Facebook. Will this be the last privacy hole on Facebook? That’s highly unlikely. What’s your take on the story?

Facebook itself is not really helpful when it comes to information that they share about a specific user. That user could take a day off and poke around in the vast and extensive settings that affect a user’s privacy but that’s not really a practical thing to do.

A better approach is to request all data from Facebook’s new api to see which information are revealed about a specific Facebook user.

What does Facebook publish about you and your friends is such an online service. All it takes is to enter a Facebook username, name, email address or keywords to display information about that user directly on the service’s page.

It will display the user’s name, profile picture and other information if they are publicly available. This includes friends, family, events, activities, posts, notes, likes and more.

The tool is pretty handy to reveal which information are shared publicly with anyone who uses the api to retrieve user information.

Users who notice that information are publicly available might want to check their Facebook privacy settings to block those information. (via Gigaom)

Norton Safe Web For Facebook is a Facebook application that uses the safe web database to scan a Facebook user’s feed. The main benefit for the user is that the it will scan the feed regardless of the computer the user is accessing Facebook with.

There is obviously no real advantage for Facebook users who access the social networking site from the same computer where they have proper security software and browser add-ons installed that warn about malicious links.

The application will automatically scan the user’s feed once it has been added to the list of installed apps on Facebook.

The report lists the number of links that has been checked in total as well as the amount of safe links, warnings and untested links. Users with no posts in the last few hours will only see zeros in the scan results. This is a bug according to Norton that will be fixed soon.

Norton is not providing many information about the application itself, especially when and how links are scanned. It is nevertheless interesting to see that security applications are finally starting to appear on Facebook even though this smells a lot like a clever marketing ploy to promote the Norton 2011 security software lineup of which Norton Safe Web is a part of.

Still, if you want to give it a try visit the Facebook application page of Norton Safe Web for Facebook to do so.

The new release contains some changes that are beneficial for a user’s privacy on Facebook. This includes per post privacy settings and simpler privacy settings. But there are also major concerns addressed by the EFF or ACLU. This includes criticism of the new recommended privacy settings which actually reduce the privacy that a Facebook user has on the website.

There are four settings for instance which Facebook previously recommended to be only visible to friends including posts made by the user or the work and relation history. The new privacy settings recommend making the data available to everyone. Another three settings that have also been recommended to be only visible to friends in the past are now recommended to be visible to friends and their friends including photos and political and religious views. (see what does the Facebook privacy transition mean for me for the full picture).

And there are other privacy changes that the EFF calls outright ugly including to the issue of controlling who gets to see personal information.

Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a “fan” of — as “publicly available information” or “PAI.” Before, users were allowed to restrict access to much of that information. Now, however, those privacy options have been eliminated.

The interesting question in this context is why Facebook did change the privacy settings the way they did. The natural answer at this point seems to suggest that this is done to increase the exposure of the website to the search engines and users.

Facebook users will receive a notification upon Facebook login that will notify them about the changes. It is currently possible to skip the changes for now. What’s your opinion on the changes introduced by Facebook?

The “What do quizzes know about you” quiz at Facebook has been designed to reveal the information that quizzes have access to by displaying those information to the user taking the quiz.

The first question deals with the information that a script can access of the user who allowed the script access to the profile. The quiz will pull information from the user’s Facebook profile and display them on the page.

The second question is about the information that a quiz can retrieve from friends of that user even if those friends did not allow access to the quiz. This is again emphasized by displaying various photos and information about friends of the Facebook account on the page.

There must be safeguards somewhere, right?

The only protection Facebook offers by default is its Terms of Service, which state that developers must collect only the information that they need and use it only in connection with Facebook.

But all it takes to be a developer is an email address, and so few of even the top developers have a privacy policy at all, it’s hard to believe that Terms of Service will hold them back if they want to collect information, and (as this quiz has shown) they can access a lot of it.

And once details about your personal life are collected by a quiz developer, who knows where they could end up or how they could be used. Shared? Sold? Turned over to the government?

Experience the privacy issue first hand by taking the What do quizzes know about you on Facebook quiz.

Trend Micro are reporting about yet another Facebook phishing attack that is currently in the wild. The attack begins – like most phishing attacks – by mass mailing potential Facebook users informing them that they need to update their Facebook login credentials. A link is offered in that email and if they follow that link they land on a website that looks like Facebook. What’s interesting here is that the email address field of the Facebook login form is already filled out so that the Facebook user only needs to enter the Facebook password to complete the process.

A click on the login button will open a new page that contains a link to an update tool which installs a trojan on the user’s system.

It attempts to access a Web site to download a file which contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains a list of targeted bank-related Web sites from which it steals information. Note that the contents of the file, hence the list of Web sites to monitor, may change any time.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user’s account information, which may then lead to the unauthorized use of the stolen data.

The blog post contains security tips on how to distinguish legit from phishing emails. Users who are interested in those can visit the blog post but the most important lesson once again is to avoid clicking on links that are send via email.