Major sites using Facebook’s Single Sign-On don’t implement basic security features, potentially making the fallout of last week’s hack much worse.