I'm sure by now you either have a Facebook account or had one at some point. That's an easy assumption to make since the social media giant has 2 billion active users in the world.
Some people are actually addicted to the site. It's the first website they visit when they wake up in the morning and the last one they check out at night. Unfortunately, a recently discovered flaw could let someone else take total control of your account.
How hackers could take over your Facebook account
What we're talking about is old phone numbers linked to Facebook accounts. Computer programmer, James Martindale, discovered a flaw in Facebook's account recovery system.
He recently got a new phone number for his smartphone and started receiving reminders from someone else's Facebook account. Martindale went to Facebook and did a search for the phone number. Sure enough, the search results showed him who the account belonged to.
He did a little more investigating and realized that when you select "forgot password" when trying to sign into Facebook, you have the option to select a recovery code via SMS. Meaning Facebook will send you a text message to the phone number associated with the account, allowing whoever has it to change the account password and take total control.
Here is what the reset your password prompt looks like. It gives you the option to receive the code via email or text. I've blocked out the account holder's name and phone number.
Image: Example of Facebook's password reset prompt.
Can you imagine what this could lead to? A cybercriminal could use services like FreedomPop or Google Voice to purchase inexpensive phone numbers as often as they'd like and match them with Facebook accounts of unsuspecting victims.
Once a cybercriminal takes over an account they can sell it on the Dark Web or other more public sites. They could even pose as the victim and send messages to friends and family asking for money or personal data that could lead to more fraud. Since the request is supposedly coming from someone they know, they might send money without thinking twice.
Having your account hijacked could lead to a number of terrible possibilities. Whenever you get a new phone number, it's critical to delete your old number from all online accounts. That way when your old number gets recycled it won't show up on a search like it does in this scenario.
What you need to do ASAP
The first thing that you need to do is delete all of your old phone numbers that are associated with your Facebook account. In fact, delete them from all of your online accounts.
Then, follow these safety steps to stay protected online:
- Remove old numbers and addresses - not only do you need to remove old phone numbers associated with online accounts but also old email addresses.
- Delete old accounts - it's critical that you lock down all of your online accounts with secure passwords and shut down accounts that are no longer active. A site called AccountKiller can help by making it simple to track down all of your online accounts.
- Get a Facebook security checkup - Facebook has a security checkup feature to help you stay safe. You can set up login alerts to let you know when your account is logged into from an unrecognized device or browser. Click here to learn about the security check up.
- Investigate your online accounts - Have I Been Pwned is an easy-to-use site with a database of information that hackers and malicious programs have released publicly. It monitors hacker sites and collects new data every five to 10 minutes about the latest hacks and exposures.
- Set up two-factor authentication when available - Two-factor authentication, also known as two-step verification, means that to log into your account, you need two ways to prove you are who you say you are. It's like the DMV or bank asking for two forms of ID. Click here to learn how to set up two-factor authentication.
- Change your password - If you have older accounts and decide to keep them, it's a good idea to change your passwords. Read this article to help you create hack-proof passwords.