Cybersecurity is becoming more and more important as more of the things we use turn digital. The smart home is one example, and IFTTT has become a cornerstone in linking non-compatible devices together. In order to do this, it requires storing log in information to several accounts. This makes it important to ask about its safety and security.
Is it safe to use IFTTT? IFTTT uses standard online security practices to help keep your information safe, but like any online account, it may be hacked at some point in the future. IFTTT may be required to share your data by law, and it may share anonymous data with third-parties without consent. IFTTT does not sell personal data to third-parties without consent.
There are several ways to measure if a website, or online service, is safe & secure or not. And it’s not exactly a black & white answer. There are many grey areas. Let’s take a look at some of the most common ways to access if IFTTT is safe, by looking at what information it collects, how it protects that information, and what additional steps you can take to help protect that information.
This article often references the IFTTT Privacy Policy and Terms & Conditions, which can be found here.
IFTTT Safety & Security: How is Your Data Protected?
What Data Does IFTTT Collect?
The privacy is long and rather confusing in some of the working. I’m no lawyer, but from what I could gather, IFTTT collects all the information about you that it can. It stores information that you provide, it stores information that it gathers from third-parties, and it stores information that is provided to it from the services you connect.
Here is the list that IFTTT states in their Privacy Policy of the information they may collect:
- First and last name
- Email address
- Mailing address
- Telephone number
- Transaction Information (IFTTT does not store your credit or debit card information)
- User content, for example, action ingredients that are displayed when an Applet runs
- IP address
- Device identifiers
- Web browser information
- Page view statistics
- Browsing history
- Usage information
- Transaction information (e.g. transaction amount, date and time such transaction occurred)
- Cookies and other tracking technologies (e.g. web beacons, pixel tags, SDKs, etc.)
- Location information (e.g. IP address, zip code)
- Log data (e.g. access times, hardware and software information)
IFTTT Security Measures
IFTTT uses standard web-encryption methods to securely transfer data between your computer and its servers. IFTTT’s privacy policy states that they use SSL, which is what most websites use to help secure communication.
You’ll notice a lock symbol next to the URL indicating that a secure link has been established and that the site has a valid security link. You can click on the lock symbol to get more information about the security certificate.
In other words, don’t send private information while on a public network. If you are on a public network, I personally recommend using a VPN to encrypt traffic. This will help keep your information from being read by other computers on the same network.
Once IFTTT has your information, they have to store it on one of their computers. Their policy states that this information is stored securely, but it doesn’t describe what that means. Typically, it means the data is encrypted, and a key is needed to make it readable.
This is pretty standard policy for storing data, and from all the news reports we’ve heard on companies being hacked, we know that it doesn’t exactly mean all your data is secure. It also doesn’t mean that all your data is encrypted. It may just be a portion of your personal data.
How Does IFTTT Share the Data it Collects?
This is where reading through the privacy policy can get confusing.
First, they don’t sell your data without your consent.
Second, they may share your data without consent, but with personally identifiable information removed.
Third, they may share your data with personally identifiable information to IFTTT partners in order to grow their business, but those partners must protect your data like IFTTT does.
Fourth, there is a sentence in there that basically says we may have to share your information with government, and your data may be illegally obtained: “we may be forced to disclose personal information to the government or third parties under certain circumstances or third parties may unlawfully intercept or access transmissions or private communications.”
After reading all those exceptions, it seems to me like they are sharing a lot of data, but not directly making money off of it.
Can you Trust IFTTT?
The opening line on the IFTTT terms and conditions page says, “User trust is core to the IFTTT experience. People trust us to get their services and devices talking with each other in a reliable way.” When someone says that I can trust them, I immediately begin to question that. Especially if it the first thing they say.
IFTTT can be trusted as far as their policy outlines. IFTTT has a legal obligation to protect your data according to their privacy policy, but they do not publicly state how your information is protected. The IFTTT policy does stat that they will protect themselves first before they protect you.
One of my biggest concerns is that there is nothing about IFTTT security controls and architecture on their website. We have no idea how our data is secured, which creates very little trust from my prospective.
IFTTT Safety & Security: Can IFTTT be Hacked and How to Prevent It?
Can IFTTT be hacked?
IFTTT, just like any other online account, can be hacked if someone obtains your login credentials. There are no public records of IFTTT servers being hacked.
When someone says they got Hacked, they typically mean that someone was able to access their account using their username and password. It may have been guessed, or it may have been bought off the black market from other hackers.
My concern is about the data someone can obtain very quickly if they are able to log into your account. The IFTTT term and condition page has a section near the top titled “Take your data anywhere”, in which they clearly state that all the user’s data can be emailed to the user.
That would mean the hacker would also need access to your email, or they could just change the email address. Alternatively, imagine if you are using a service that stores your email credentials. The hacker could just look at that, and not even have to change your IFTTT email address.
Are IFTTT Applets Safe?
Most IFTTT applets are safe to use, as they don’t use much information other than the fields that you fill in as part of the trigger and action. But….
The IFTTT applet creator has the option to hide fields, and there is no way for the end-user to know about them. Also, IFTTT applets can have “filter code”. Filter code is written in JavaScript and can’t be view. The JavaScript could potentially have malicious code in it.
The best option is to use IFTTT applets that have been marked as verified.
How to Prevent Being Hacked
There are numerous methods to help secure your online accounts. Here are two steps you can take today.
Use a Unique Password
A lot of people use the same credentials for IFTTT as they do for many other accounts, like social media or online banking. If any one of those accounts is hacked, then your credentials could potentially be used on IFTTT.
The first thing I recommend is to use a unique password for IFTTT. One that you don’t use anywhere else. I know this is annoying, but it makes your IFTTT account more secure if another account was hacked. If those usernames and passwords are leaked, they can’t be used to login to your IFTTT account.
I recommend a unique password for every account, which makes it so you’ll need a password manager. There are lots of good ones out there, so take your pick as far as that goes. Google and Mozilla both offer this type of service.
Use Two Step Verification: Two Factor Authentication (2FA) On IFTTT
IFTTT calls it two-step verification. The industry name for it is two-factor authentication. This means that when you log into IFTTT from an IP address that it doesn’t recognize, such as a computer you haven’t used before, it will require a second piece of authentication in addition to your password.
Your password is the first piece of authentication. The second piece that we’ve become familiar with is receiving a text message with a code. IFTTT has this option as well as an option to use an authenticator app.
Here’s a video on how you can enable this type of authentication. Really, I question why it’s not enabled by default.