Often Facebook asks its users to link the phone number to their account to help “secure their account.” By doing this, Facebook lets users recover access to their account, just like an email address, if they have forgotten their password by typing in their phone number, getting a code texted to their phone and then resetting the password. Looks cool. But, what if you change your phone number and it is assigned to someone else?
You might have never thought of it as happening, but a cyber security expert claims that hackers can get into anyone’s Facebook account simply if they have access to their old phone number.
And How…?
If you are changing your phone number, there are chances that your old number will be given to someone else. If the new owner of that number attempts to perform Facebook login, he/she can perform a password reset and control your account.
To explain you briefly, tech expert James Martindale has documented his experience.
According to his post in a Medium, Martindale got a new SIM card, and after inserting that into his phone, he got two texts. The first one from an unknown person and the second one was from Facebook. The second text surprised him as he hadn’t added that new number to Facebook yet.
“While I looked over the activation instructions that came with the SIM card, I got two texts. The first is from somebody I don’t know, and the second is one of those texts Facebook sends out when you haven’t logged in for a while…except I hadn’t added this phone number to Facebook yet. I was curious.”
As we all know, Facebook by default lets people find your account with your phone number, you can also use it to sign in. So he attempted to sign in using the new phone number and a random password. Of course, it didn’t work. So, he clicked on ‘Forgot your Password.’
Facebook showed him different recovery phone numbers, and he chose the one that he entered. He got a recovery code which he then used to create a new password and log in. So there it was. He could now do anything with that Facebook account and even change his password, just because he forgot to remove an old number.
You might argue that the chances of another person checking his/her new phone number on Facebook are pretty low. But, what if someone does that? And there is big money to be made in social media profiles, apparently. In his post, Martindale claims that hackers could sell hacked Facebook accounts for more than $50 an account.
Is Facebook Going to Fix the Issue?
Martindale submitted a report on this issue to Facebook and the company has called it a concern but refused to consider it a bug for bug bounty program.
“Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.”
So, What can you do to Protect such Facebook Account Hack?
- Immediately remove old phone numbers and email addresses from all of your online accounts, including Facebook.
- Get alerts about unrecognized logins for Facebook.
- Set up two-step authentication.
“When a user adds a new phone number to an account, Facebook should immediately ask them if they want to remove their old phone number,” Martindale told El Reg. “If Facebook encourages users to only list current phone numbers this would be the best way to do just that,” Martindale concluded.