Through a mistake in Facebook’s account management that enabled a hacker to attach a victim’s phone number (linked to the FB account) to their own FB account. That’s one possibility: Hacker finds bug that allowed anyone to bypass Facebook 2FA | TechCrunch
My phone # was retained on the hacker’s account, which points to the above, but that hack trick uses SMS. Facebook claims they have not seen this exploit used – yet.
I did not use SMS 2FA but an authenticator app. FB gave no alerts that anyone logged into the account from an unusual location, gave no alerts that profile data had been changed. The only alert I received was addressed to “Lily Collins”, with a photo of an Asian woman, but sent to my email address. (I would not assume that hacker is Asian, female or named Lily Collins – everything in hacking is bogus.)
The email address I used on FB is an obscure address that I do not use for regular email correspondence but only for a handful of platforms like social media accounts.
The password was moderately complex but I had not updated it to “strong” level complexity.
I had not received any phishing emails.
Another possibility is malware on the Android phone used for 2FA. Just ran a malware scan and nothing was found.
UPDATE: I was able to get into the account but the account is partially disabled. I could change the profile picture back to me but am unable to change the user name. The Settings page says it is unavailable due to a “Technical issue”. The perpetrator had also added some friends – with Vietnamese names. I have no idea what will happen to the account – will it be permanently disabled? Is it recoverable? Will it steal my content for their own purposes? I am not yet seeing what the point of this was – why steal the account?
UPDATE: What appears to have happened
I had clicked on a FB ad which appears to have done a drive by malware installation.
The malware stole selected authentication cookies from the browser. Any account that was logged in, has an associated authentication cookie left on your computer – you can then return to the web page without having to log in again, later. In this way, the attacker looked for specific authentication cookies of selected online services – and then used those cookies to log into your account.
In the case of Facebook, they sought access to saved credit cards on the account – and then used those credit cards to buy Facebook advertising (probably acting as a reseller – selling ad services to others, funded by stolen credit cards saved on FB accounts). Fortunately, I did not have a saved credit card on my FB account.
- Today, I use Cookie Autodelete to delete all cookie files within 15 seconds of leaving most websites.
- I delete all cookie files and history upon exit from the browser (I leave a few cookies in place for a few web sites so those get deleted too at this stage.)
- I removed saved credit cards from most online accounts.
- I use 2FA wherever possible – but this authentication cookie exploit bypasses 2FA.
My account was also stolen, but they also somehow got into my desktop and got every other password too. Microsoft, google and a couple games are all changed and at this point i haven’t got them back. I sent tickets in and haven’t heard back yet.
Depending on which attack was used, they seem to have gotten access to any account that had been opened and still likely had authentication cookies indicating the account had bypassed login. The hack scooped up all cookies.
I have gone through and changed all passwords on all accounts, may also change email addresses. I reset 2FA on all accounts that had it, and have added 2FA where that has now been made available since I set up the account. 2FA is not necessarily sufficient when implemented wrong – the right way is that no account data should be changeable, even if logged in – unless you are given a second 2FA/login authentication. FB does not do that, many sites don’t. But some have implemented that.
I also now have my browsers set to auto delete all cookies files as soon as a tab is closed, or if I type a new domain in the URL line and switch domains.