By Courtney Theim
SecureWorld Media
Hackers don't always need fancy software and a high IQ to hack into your account - sometimes all they have to do is ask.
A user named Aaron (SquidWhale) posted a thread on Reddit detailing how a hacker was able to gain access to his Facebook account by simply corresponding with their help team - while the hacker pretended to be Aaron.
The hacker was able to gain access through Aaron's email account - although not the one connected to Facebook. He told Facebook's help team that he was unable to login to his account with his usual email address and requested that he be granted access.
The conversation was posted by Aaron on the Reddit forum:
The hacker was able to delete Aaron's business pages from his account, and also sent his fiance a graphic photo. All they had to do was email Facebook's support team and send in an ID to verify their identity. However, the ID the hacker submitted had nothing in common with the real Aaron except for his name.
When Aaron became aware of the situation, which had taken place while he was sleeping, and posted on Reddit, "there was no notification on Facebook, no notification on my cell phone, there was a notification in my email account, but it's not an email account I check daily."
Aaron was able to regain control over his account and have all of his pages restored - but not until he posted on Twitter trying to attract the attention of Facebook who kept redirecting him to their help pages.
In an edit to his Reddit thread, Aaron suggests steps to prevent this kind of attack from happening again:
"Given the severity of the theft of information if someone were to hack into your account, I think Facebook should freeze the account to see if the owner does eventually use the original email, or phone number to get back into the account. I'd say the account should be frozen for at least 30 days before they allow photo ID to be accepted. Yes this may annoy some people who actually lost access, but they can likely get access to their phone number or email faster than 30 days. Plus Facebook has post blocks that are 30 days so it's not like it's an unreasonable time span. I think this rule should also be applied to any request to turn off two step verification. Maybe even a text message/email should go out asking if it's you if that's requested. If the request is from a suspicious IP that seems unrelated with the normal IP of the account, it shouldn't be accepted. Allowing users to willingly file a copy of their ID (with blurred info) with Facebook in case of these sort of situations is an idea as well, so when something like this happens, the user has to respond with the ID they previously filed. Also, if trusted friends is added on the account, I feel like they should accept that over ID to verify identity."
