Hi Joel, any thing you would recommend other devs who're connecting with facebook or any other social media API to look into? maybe you can share what you guys have learned reg: security and how to do it better from this

The best thing we've learned here is to enable a setting Facebook has called "Require AppSecret Proof for Server API calls". They actually have a lot of great security features which we've not been making use of.

I think considering the gravity of the situation, you and your team has handled this nightmare pretty well so far. Any of us who write software could end up in a similar situation - be it caused by a small configuration mistake, a slightly out of date 3rd party library, or a skilled, determined attacker.

When I see a local credit union site written in VBScript get hacked, I don't worry too much because it was probably riddled with SQL-injection bugs that any script kiddie can exploit. However, I know that you guys take data security seriously (you and I Skyped a while ago) and yet this happened. That's what worries devs like me the most.

I think it would be very helpful to us all (including many of your tech-savvy users) if you would write a detailed blog entry describing what actually happened and how. I believe you're encrypting tokens now but how did they get exposed in the first place? Was it a framework issue? Unhandled exceptions? Wrong chmod on a log file? New employee hooking up trojan'ed PC to your internal network? Here's hoping you feel comfortable in sharing.