Facebook’s customer support team will help someone break into your account.
Reddit user SquidWhale claims that someone was able to change the email address, password, and two-factor authentication settings of his Facebook account simply by impersonating him in messages to the customer support team.
The messages weren’t even sent from the email address used for the Facebook account, and the customer support representative accepted faulty identification after they asked the hacker to prove that the account really belonged to them.
That’s all it took for the hacker to gain access to the account. Once that was done he changed all of the login details, deleted several Facebook pages devoted to the account owner’s business, and sent a dick pic to the rightful owner’s fiancée.
The entire affair took four hours from start to finish. It didn’t matter that the hacker didn’t have the account owner’s email address or password. Hell, it didn’t even matter that the account owner had turned on two-factor authentication.
All that mattered was the fact that Facebook’s customer support was willing to change these settings despite all of the red flags — emailing from the wrong address, claiming not to have a phone, providing the wrong ID — that popped up.
This is all thanks to a technique called social engineering. Instead of breaking encryption, stealing data, or otherwise using technical wizardry to gain access to someone’s information, social engineering just relies on telling a convincing lie.
Just watch this video from Fusion’s “The Real Future,” which depicts a woman gaining access to editor Kevin Roose’s phone account with nothing more than a YouTube clip of a crying baby and some dramatic acting:
Facebook isn’t the only company vulnerable to social engineering. Earlier this year, Amazon was accused of giving out a customer’s personal information to someone who was impersonating them.
More recently, civil rights activist DeRay McKesson’s Twitter account was stolen via social engineering. The hacker posed as McKesson in a call to Verizon, changed the SIM card associated with his number, and then used that access to get around the two-factor authentication on McKesson’s account.
SquidWhale was eventually granted access to his accounts. McKesson’s Twitter account was returned to him. But that doesn’t change the fact that they lost access to important services even though they tried to defend themselves.
There’s only so much people can do to protect themselves online. Use strong, unique passwords. Don’t use one of these terrible passwords. Set up two-factor authentication. Avoid insecure connections that could allow someone to intercept login details while they’re in transit.
This business owner did all of those things. Yet as long as customer support teams are able to change accounts or look up sensitive information there will always be a weak link in the metaphorical fence surrounding personal data.
Facebook has not yet responded to interview requests about this case but we will update this story when it does.