Facebook Cyber Awareness

Facebook Logo
Photo by Roman Martyniuk / Unsplash

This is a reminder to those of us on social media to be mindful of what we share and how we do it.

In this story, I will identify "friend" aka "compromised friends account" as the attacker and me as the victim to clarify things.

Today (22 Oct 2022) I was contacted via Facebook Messenger by a friend that he wanted my number (stupidly I gave it to him) and then he responds afterward that he was going to use my number to reset his account since he was having issues accessing it.  That's when a red flag (🚩) went off.  I don't recall Facebook enabling this "option" and sure enough, after I stupidly gave him the number, I get the email.  Great dudes got my number, but I block all calls anyways (time to get a new number - stupid me).  

Now, this is when I conduct some testing and verification.  If I open an incognito tab/window and copy and paste the URL link in my email it sends me to a Facebook page and prompts me to reset my password (obviously it's for my account).  At the same time If I changed it or hit skip, I get my two-factor authentication (2FA) message at which I get a notification of the GPS location and IP address among other information from that little security feature in Facebook.

This prompts me to do my own little testing.  If I go to Facebook login, do forget my password, and enter my phone number it shows my partial email (good he can't get the full string) but if I keep that browser open it asks for the email code/pin that the attacker is waiting for.  

⚠️
Whatever you do, don't give them this PIN!

Following my own investigation, I searched this "friends" Facebook for his wife's account and try to contact her and ask if she is near my "friend", no answer.  Then I discover my friend has another account via her page with recent activity as well.  So I message them both and let them know about the situation and notify family and friends of this threat.  I also unfriended him as well knowing that the account was compromised at this point.

Yes, I made a mistake due to partial information on my part - we as a society are easy to give things out.  In this case not knowing about the account being compromised and the message "Send me your number..." starts out as hey I got a new phone and I want your number when you assume things.

Attached is the below string of events for your enjoyment.

Long story short, be always on alert and know that NO a friend cannot use your number to reset their account.