You probably know someone whose Facebook account was hacked. You would think a company as large and powerful as Meta would be better at preventing that sort of thing, but it’s all too common.
Hackers hijack social media accounts to spread malware, steal personal and financial information and spread lies. And the problem is you may not even know your account was compromised until it’s too late. Tap or click here for the warning signs to look out for.
A hacker who gains access to one of your accounts can use it to cause damage elsewhere. This is why we recommend using unique logins with strong passwords across your accounts. A security researcher was able to hijack Facebook accounts by users logging in with their Gmail credentials.
Here’s the backstory
Do you log in to your Facebook account with Gmail? We’ve warned you about using the same account for multiple logins, and here’s a prime example of why you shouldn’t.
Security researcher Youssef Sammouda showed that a threat actor could hijack a Facebook account after stealing a Gmail OAuth id_token/code used to login to Facebook.
OAuth is a common authentication framework that lets you grant limited access from one application to another. You see this when you use your Facebook or Gmail account to log into other accounts. You get access to that account without providing it with your login credentials.
Sammouda was able to chain multiple bugs using Google OAuth to exploit a series of Facebook vulnerabilities. “We log out the user from their Facebook account, we force the login to the attacker’s Facebook account,” Sammouda told The Daily Swig.
Sammouda reported the bugs to Meta on Feb. 16, and the company fixed the issue on March 21. Meta paid Sammouda a bug bounty of $44,625 for his work.
RELATED: Facebook privacy settings: Most important security checks to do now
Reduce your chances of being hacked
Use unique logins and passwords for your accounts. This may seem like a pain, but password managers simplify the process by generating and storing login information for all your devices and accounts.
Password managers can be installed as software or accessed through a website, browser extension or the cloud. Tap or click here for everything you need to know about password managers.
Make sure you have your login email/number and password safely stored. Set up your recovery email or number in case your account is compromised.
To add a second email address to your Facebook account on PC:
- Click the down arrow in the upper-right corner.
- Go to Settings & privacy > Settings.
- Select Account Settings from the left pane and click Edit next to Contact.
- Select Add another email or mobile number.
- Enter an email address or phone number that you have access to and click Done.
- Atp Add your phone number? to add and confirm a number.
To add a second email address to your Facebook account on iPhone/Android:
- Open the Facebook app and tap the gear icon in the upper-right corner.
- Tap Personal information, then Contact info.
- Tap Add phone number or Add Email Address and enter the information, then confirm.
Follow these rules to bump up your cybersecurity game across all your accounts:
- Use two-factor authentication (2FA) when available for better security. Tap or click here for details on 2FA.
- Keep your operating systems, apps and devices updated with the latest official software and patches.
- Always have a trusted antivirus program updated and running on all your devices. We recommend our sponsor, TotalAV. Right now, get an annual plan with TotalAV for only $19 at ProtectWithKim.com. That’s over 85% off the regular price!
Want a cut of a $90M Facebook class-action lawsuit? Submit a claim now
Cybersecurity check: See if anyone is poking around your Gmail, Facebook or Netflix account