The “Facebook problem” is real and it’s bad. Whatever else you get from this, I’m not trying to play down the impact and continuing risk of data custodians who betray our trust.
It’s just that in the greater scheme of things, account takeover is much more dangerous, much easier to implement, verified to be ubiquitous on the web today, and yet is almost completely unreported. We should address this and the Facebook problem but if we can do only one it should be this one. This post explains why, and how I’ve tried to address it over time.