Continuing on from the Part 1 story, not long after I saw this story from Linus Tech Tips – they’d been hacked and although that’s on YouTube and I just lost my personal Facebook account, they sound like the same issue. This is worth a watch to understand what’s going on, if you think because you’ve got 2FA set up, you’re completely safe:
I still don’t know exactly what happened, but my cookie being hijacked made sense based on what I saw on the access logs – the same browser cookie used for auth that I’d used many months before, but no new login attempt, no MFA hacks etc.
Facebook have the same issue as YouTube – there is no MFA challenge when you change something major about your account, like your display name. It would make sense to do so when major profile changes are made, but they don’t.
Beyond that, logging onto Facebook today I saw an alert about my other profile – which was my taken over one but the browser was still aware (the account wasn’t deleted, purely completely blocked/disabled by Facebook). I’d also note here that I didn’t receive any email or other alert,
I thought I’d log back onto the account out of intertest, and was presented with a different screen:
This sounded like I might be able to get the old account back – so going through the process was purely a SMS code to type in based on my saved phone number, asking me if the phone number/email addresses were correct, then kicking of a bot who’s also a doctor seeing what actions might have been done under my account:
Strangely, this bot who I don’t believe actually is a qualified doctor, came back to tell me nothing was changed on my account:
Ah, I must have always been Lily and not realised it… even though the downloaded logs showed that was the last change on my Facebook account. If this system can’t detect that, it’s already failed.
Those Extra security settings were purely to get notifications and emails if my account is ever logged on at a new device – not a terrible thing, but probably not going to save me at 1am.
I really don’t want my old profile now anyway, but it has let me easily delete the Facebook Page I had for ‘Adam Fowler IT’ so that’s now gone.
I was considering maybe reviving the old account, but I couldn’t even change the name back because I’d changed it in the last 60 days.
Also, there might be something historical I want to get from the account, and although I have everything downloaded, it’s a bit of a pain to go through so rather than deleting the account, I changed the account profile photo to ‘do not use’ and deactivated it.
Overall, I’m still very unimpressed over the entire process, and the above continues to prove how even one of the most valuable companies in the world still gets this stuff so wrong.