You’ve probably given a few applications or websites access to your Google, Facebook, Twitter, Dropbox, or Microsoft account. Every application you’ve ever allowed keeps that access forever — or at least until you revoke it.
In other words, there are probably quite a few other web services that have access to your personal data. You should regularly check your lists of connected services on the websites you use and remove services you no longer use.
Why Third Parties Probably Have Access to Your Accounts
When you use an application or web service that requires access to an account — for example, anything in your Google account, files in your Dropbox account, tweets on Twitter, and so on — that application generally doesn’t ask for the service’s password. Instead, the application requests access using something called OAuth. If you agree to the prompt, that app gets access to your account. The account’s website provides the service with a token it can use to access your account.
This is more secure than just giving the third-party application your password because you get to keep your password. It’s also possible to restrict access to specific data — for example, you might authorize a service to access your Gmail account but not your files in Google Drive or other data in your Google account.
When you give an app access, you see a permission prompt on the website you use. So, if you give an app access to your Google account, you’ll see a permission prompt on the Google website.
So far, so good. But it’s easy to forget which apps and services have access to your account. You might try an app once and never use it again, or you might have stopped using an app years ago. If you don’t check your list of authorized applications and remove it, that app still has access. The app could use its access to gather data about your without your permission. The app could be sold to new owners who want to use the app to make a quick buck — like how popular Chrome extensions are sold to advertisers who pack them full of adware. Or the web service itself could be compromised by attackers who use its access to accounts to do something bad.
Changing your password won’t automatically revoke access to connected apps, either. Even if you change all your passwords and think you’re starting over from scratch, services you’ve given access to your account will maintain that access.
You should only give access to applications you trust and regularly use. If you don’t use a service or application anymore, you should remove its access just to be safe.
Use These Links
To secure your accounts, you’ll need to visit a specific page on each website you use and check your list of connected services. If you see a service or app you no longer use, revoke its access to your account with a click or two.
To speed this up, we’ve collected a list of links to the appropriate pages on popular websites that use OAuth. If you use a service, click its link to check your list of connected services. and revoke access to services you no longer use:
If you use another website and you’ve given third-party applications access to it with a similar-looking OAuth prompt, you’ll need to check its account settings page and look for a list of connected sites, services, or apps to manage.
It’s generally a bad idea to click links on websites that promise to access your Google, Microsoft, Facebook, or Twitter accounts and sign in with your password. Phishers impersonate sites in this way to steal your passwords. if you see a password prompt after clicking a link like the ones above somewhere on the web, be sure to verify that you’re actually on the real website and not a fake, imposter site.
Deciding what applications to remove is easy — if you don’t use it, revoke access to it. Be sure to check your list of connected applications and websites regularly on the websites you use. If you give an application or service access to sensitive data, be sure to revoke its access when you stop using it.