Through a mistake in Facebook’s account management that enabled a hacker to attach a victim’s phone number (linked to the FB account) to their own FB account. That’s one possibility: Hacker finds bug that allowed anyone to bypass Facebook 2FA | TechCrunch
My phone # was retained on the hacker’s account, which points to the above, but that hack trick uses SMS. Facebook claims they have not seen this exploit used – yet.
I did not use SMS 2FA but an authenticator app. FB gave no alerts that anyone logged into the account from an unusual location, gave no alerts that profile data had been changed. The only alert I received was addressed to “Lily Collins”, with a photo of an Asian woman, but sent to my email address. (I would not assume that hacker is Asian, female or named Lily Collins – everything in hacking is bogus.)
The email address I used on FB is an obscure address that I do not use for regular email correspondence but only for a handful of platforms like social media accounts.
The password was moderately complex but I had not updated it to “strong” level complexity.
I had not received any phishing emails.
Another possibility is malware on the Android phone used for 2FA. Just ran a malware scan and nothing was found.
UPDATE: I was able to get into the account but the account is partially disabled. I could change the profile picture back to me but am unable to change the user name. The Settings page says it is unavailable due to a “Technical issue”. The perpetrator had also added some friends – with Vietnamese names. I have no idea what will happen to the account – will it be permanently disabled? Is it recoverable? Will it steal my content for their own purposes? I am not yet seeing what the point of this was – why steal the account?
My account was also stolen, but they also somehow got into my desktop and got every other password too. Microsoft, google and a couple games are all changed and at this point i haven’t got them back. I sent tickets in and haven’t heard back yet.
Depending on which attack was used, they seem to have gotten access to any account that had been opened and still likely had authentication cookies indicating the account had bypassed login. The hack scooped up all cookies.
I have gone through and changed all passwords on all accounts, may also change email addresses. I reset 2FA on all accounts that had it, and have added 2FA where that has now been made available since I set up the account. 2FA is not necessarily sufficient when implemented wrong – the right way is that no account data should be changeable, even if logged in – unless you are given a second 2FA/login authentication. FB does not do that, many sites don’t. But some have implemented that.
I also now have my browsers set to auto delete all cookies files as soon as a tab is closed, or if I type a new domain in the URL line and switch domains.