Steps to Hack Facebook Account and Way to Shield From the Same


How would you react if you knew your Facebook account was hacked? Worst, the hacker not only got into your account, but changed the login ID, reset all security, removed alternative emails and phone numbers and left you with absolutely no means to recover your access? Blame your not-so complex password? Not really. Its a flaw in Facebook's legacy security setting which one can exploit. You don't need to be a hacker to do it either. Read on for the step-by-step method to hack into a Facebook account and a way to shield from such an attack as well.
Facebook account of somebody close to me was hacked last early morning. What followed was a deep investigation to recover the account and to know what exactly happened. Thanks to Mr. Hacker, I now know the precise steps how this was done and figured out ways protect against such an attack. Here are the details.

The objective here is not to encourage such hacking, but to create awareness and help you secure your account from such an easy but brutal hack.

Part A: The Hack

Step 1: Log off from Facebook and go to https://www.facebook.com/recover/initiate
Step 2: Enter the user name/email ID/Name of the target account. Click Search

Step3: Facebook gives you the following options to recover the target account.
You will see the Profile pick of the target account on the right. It has been blurred here.
Step 4: Click on "No Longer have access to these?" link at the bottom left.
Step 5: Facebook gives you the option to enter a new email ID to be linked to the target account. Provide your own email ID. Make sure it is not linked to any existing Facebook account. Click continue.
Step 6: Unless you have set in the right security settings, Facebook throws a security question that you would have chosen right at the time of creating the Facebook account. In most of the cases, the answer to this question is anybody's guess. See example below.
Step 7: Assuming you entered the answer correctly, you will be presented with an option to set the new password.
 Step 8: Facebook will now send a link to your email ID (the one you provided in step 5) to link the email ID to the target account. Click on that link.
Step 9: Once you activate the link that you received in your email, Facebook attaches the new email ID and  the password to the account. You still need to wait for 24 Hrs.
Step 10: Wait for 24 hrs. Bingo. You have got access to the account with the new email ID and password that you specified.

Some major concerns in this implementation. I hope Facebook fixes this sometime.

  • There is no way to change the security question or the answer to it. If you made a mistake in selecting a very simple question and obvious answer while registering... too bad.
  • There are no notifications to the original email ID when somebody tries to add a new email ID, at least during that 24 Hr window.
  • It basically assumes everyone in the world is very honest :-)

Part B: Shielding your account from this hack

If the hack is easy, the shield from it is even easier. Follow the following steps.
Step 1: Login to Facebook and go to "Account Settings". Select "Security" tab from the left side menu.
Step 2: Click on Trusted Contacts. The below screen opens
If there are no trusted contacts specified, it means your account is vulnerable to the above hack.
Step 3: Click on Choose Trusted Contacts. Facebook will popup a screen to describe what Trusted Contacts are. Click on "Choose Trusted Contacts" on the pop-up
Specify at least 3, maximum 5 friends from your list whom you can trust. Below is the recommendation in selecting Trusted Contacts
  1. Somebody who is close to you and whom you can fairly trust
  2. Somebody who will be accessible outside of Facebook. Through Phone or personal meet
  3. Someone who will have access to their Facebook account when you are need
  4. Typically your immediate family, close friends, colleagues will do. 
Note that Trusted Accounts will only help you recover your account in a safe manner. They will "NOT" get access to your account.
Step 4: Done.

Part C:  How does this safeguard from the hack?

Assuming a hacker tries to apply the above algorithm, he/she will get stuck at step 6. In stead of asking the vulnerable Security question, Facebook will through the following screen.
This account recovery process requires you to get in touch with the three (or five) trusted accounts that you added earlier offline (phone/personal meet). They will need to go to the URL  https://www.facebook.com/recover where Facebook will ask them to confirm if "you" had contacted them and whether you were really wanting to recover the account. If they confirm, they will be presented with a numeric code that they will need to tell you and you will need to enter the same in the above screen. This needs to be done with all the trusted contacts.

Given the importance of Social media in our day-to-day lives, it is critical to safeguard your Facebook account if you have one. Remember that even if you are not so active on Facebook, if your account gets into wrong hands, those hands can make it active... possibly in the wrong way. 

Hope this helps. I hope you secure account by setting trusted contacts setting. I will be happy to be one of those for you :-)

Amol Mategaonkar

Some say he’s half man half fish, others say he’s more of a seventy/thirty split. Either way he’s a fishy bastard.

1 comment: