This is a reminder to those of us on social media to be mindful of what we share and how we do it.
In this story, I will identify "friend" aka "compromised friends account" as the attacker and me as the victim to clarify things.
Today (22 Oct 2022) I was contacted via Facebook Messenger by a friend that he wanted my number (stupidly I gave it to him) and then he responds afterward that he was going to use my number to reset his account since he was having issues accessing it. That's when a red flag (🚩) went off. I don't recall Facebook enabling this "option" and sure enough, after I stupidly gave him the number, I get the email. Great dudes got my number, but I block all calls anyways (time to get a new number - stupid me).
Now, this is when I conduct some testing and verification. If I open an incognito tab/window and copy and paste the URL link in my email it sends me to a Facebook page and prompts me to reset my password (obviously it's for my account). At the same time If I changed it or hit skip, I get my two-factor authentication (2FA) message at which I get a notification of the GPS location and IP address among other information from that little security feature in Facebook.
This prompts me to do my own little testing. If I go to Facebook login, do forget my password, and enter my phone number it shows my partial email (good he can't get the full string) but if I keep that browser open it asks for the email code/pin that the attacker is waiting for.
Following my own investigation, I searched this "friends" Facebook for his wife's account and try to contact her and ask if she is near my "friend", no answer. Then I discover my friend has another account via her page with recent activity as well. So I message them both and let them know about the situation and notify family and friends of this threat. I also unfriended him as well knowing that the account was compromised at this point.
Yes, I made a mistake due to partial information on my part - we as a society are easy to give things out. In this case not knowing about the account being compromised and the message "Send me your number..." starts out as hey I got a new phone and I want your number when you assume things.
Attached is the below string of events for your enjoyment.
Long story short, be always on alert and know that NO a friend cannot use your number to reset their account.