It has been claimed that criminals can hack into your Facebook account by doing one simple thing – finding out your old phone number.
If you’ve forgotten your password, you can enter in your phone number in order to be sent a code that allows you to reset it.
However, if you have a new number and have failed to unlink your old one from your account, then hackers could use Facebook’s security system to gain access to your profile.
Independent programmer James Martindale wrote about this hacking trick in a post for Medium and he even proved how easy it was to do, by hacking several accounts himself.
I kinda hacked a few Facebook accounts using a vulnerability they won’t fix.
I did this without ever knowing the person, touching their stuff, or being anywhere physically close to them.
Martindale accessed a stranger’s account by simply typing in one of his old phone numbers, which are often recycled and handed to new owners when they fall out of use.
I knew Facebook by default lets people find your account with your phone number, so I typed the number into the search bar and see what came up. A single account.
I opened Facebook in an Incognito tab in Chrome, and attempted to sign in with the phone number as the username and a bogus password.
Of course it didn’t work. So I clicked on Forgot your password.
The recovery option with the completely visible [until I censored it] phone number was the one I entered. Facebook texts me a code, I enter it, and I’m logged in.
I could change the password and lock this guy out of his account, just because he forgot to remove an old number.
Of course the hacker would have to hope the person who used to own the phone number had not updated their Facebook profile, but considering Facbook never encourages you to update this detail, it is very likely that the majority of people will have old numbers stored on their accounts.
To check whether this was a one off Martindale attempted to hack another account by using the same trick and it worked, again and again.
In the post he explained how this hacking trick could make the crooks a lot of money:
People buy Facebook accounts on the black market all the time, and even in more public places like Reddit.
Or I could message the account’s friends and ask for money.
Another possibility is attaching a Facebook app that will use my hijacked accounts to like pages and posts, comment, give fake reviews to businesses, etc.
All from accounts that look real because they are real, which will make them more valuable to people buying my services.
My point here: your Facebook account is a treasure trove worth a good chunk of money.
In a statement provided to The Register, Facebook said:
Several online services allow people to use phone numbers to recover their accounts.
We encourage people to only list current phone numbers, and if we detect the password recovery attempt as ‘suspicious’ we may prompt the person for more information.
The best way to protect yourself then is by removing any old information associated with your account, and this should be done for all online accounts as well as Facebook.
You never know, you could be the next victim of this hacking trick.