A rather interesting story unfolded on Reddit’s r/technology last week – one that shows that when things go wrong with the security of your social media account, things can go really wrong quite fast.
The Reddit user SquidWhale, whose name is Aaron, posted a story with this title: “TIL [Today I learned] that someone can change your Facebook email, password, and two step verification just by asking Facebook to turn off login approvals, and sending in a fake ID. (Happened to me lost all my business pages)”
How the hacker gained access
Aaron posted a number of screenshots showing the conversation between the hacker, posing as Aaron, and the Facebook support system. According to Aaron, the hacker emailed Facebook from the hacker’s own email account – an account that was not associated with Aaron’s Facebook account at all – and claimed that he was Aaron, unable to log in to his usual email address.
In response, Facebook Support asked for ID verification to change the email address associated with Aaron’s account and disable two-factor authentication, but the ID provided had completely incorrect information that didn’t even match Aaron’s.
Just by being insistent and providing faulty identification, the hacker was able to get Facebook Support to change an account’s email address, password and disable two-factor authentication. According to Aaron’s post, it only took the hacker about 4 hours to gain complete control over the account.
Adding insult to injury, once he had access, the hacker deleted a number of Facebook Pages that Aaron created for his business, and even sent Aaron’s fiancee obscene pictures.
In the Reddit post, Aaron described his frustration in trying to get help to remedy this situation:
I’m trying to communicate through the help section forms, but I keep getting different people, and they all keep referring me to the help section. Which I then go to, and submit the form, and get another person that refers me to the help section. Infinite loop.
It took a Twitter outreach campaign to Facebook staffers to get the attention of the Facebook Security team to intervene and start restoring proper access.
Thankfully, this story has a happy ending. According to Aaron’s post, he was able to work with the Facebook Security team and successfully regain access to his account as well as restore all the pages the hacker had deleted.
What this means for the rest of us
This incident showed that even a massive company like Facebook can find its services and accounts susceptible to what’s called “social engineering,” which is basically behaving in a way to get someone else to do what you want. No fancy technology was needed for this “hack,” all the criminal did was make a request and act convincingly.
Hopefully this issue will help Facebook to implement new procedures to prevent this kind of account takeover from happening so easily. But in the meantime, there are a few things you can keep in mind to minimize the chances of something like this happening to your account:
- Take a moment to review the email address you have linked to your Facebook account, and frequently check it. Aaron noted that Facebook did notify him of the account changes, but the notification went to an email address he didn’t check often. The hacker in this case made his move while Aaron was asleep, so there’s not much he could have done to stop the attack while it was happening. But thanks to his quick action, he was able to get control back without long-term damage.
- Enable Facebook Login Alerts. Even if someone does socially engineer their way into your account, when they log in, they’re likely to be in a different location to you. This unusual activity will trigger an alert to your account, allowing you to take action quickly.
Image of Lego Facebook hacker courtesy of Lewis Tse Pui Lung / Shutterstock.com
Mahhn
It also reminds us that just because something was deleted on fb, it’s still there.
Good story.
Maria Varmazis
So very true. And thank you!
joemtc
This doesn’t seem like social engineering. This is more like Facebook’s negligence in following their own policies and procedures to protect their customers. Social engineer usually involves tricking someone into doing something they shouldn’t be doing, but if Facebook were to simply follow their own rules it would have been easy to see Aaron wasn’t the one asking for the changes. This is a good story, and a lesson for anyone who works in customer service to verify the identity of a customer properly.
Kimberly
What I find extra frustrating is that I’ve spent countless hours submitting reports to Facebook over the last 3 months regarding functionality that is broken with Business Pages. This is the #1 complaint in the Help Center, but with no response at all from Facebook. And yet a hacker can get an actual Facebook employee to give them access to someone else’s account in just 4 hours? Ugh!