Sign in Subscribe

Facebook Cyber Awareness

JR
JR
2 min read
Facebook Logo
Photo by Roman Martyniuk / Unsplash

This is a reminder to those of us on social media to be mindful of what we share and how we do it.

In this story, I will identify "friend" aka "compromised friends account" as the attacker and me as the victim to clarify things.

Today (22 Oct 2022) I was contacted via Facebook Messenger by a friend that he wanted my number (stupidly I gave it to him) and then he responds afterward that he was going to use my number to reset his account since he was having issues accessing it.  That's when a red flag (🚩) went off.  I don't recall Facebook enabling this "option" and sure enough, after I stupidly gave him the number, I get the email.  Great dudes got my number, but I block all calls anyways (time to get a new number - stupid me).  

Now, this is when I conduct some testing and verification.  If I open an incognito tab/window and copy and paste the URL link in my email it sends me to a Facebook page and prompts me to reset my password (obviously it's for my account).  At the same time If I changed it or hit skip, I get my two-factor authentication (2FA) message at which I get a notification of the GPS location and IP address among other information from that little security feature in Facebook.

This prompts me to do my own little testing.  If I go to Facebook login, do forget my password, and enter my phone number it shows my partial email (good he can't get the full string) but if I keep that browser open it asks for the email code/pin that the attacker is waiting for.  

⚠️
Whatever you do, don't give them this PIN!

Following my own investigation, I searched this "friends" Facebook for his wife's account and try to contact her and ask if she is near my "friend", no answer.  Then I discover my friend has another account via her page with recent activity as well.  So I message them both and let them know about the situation and notify family and friends of this threat.  I also unfriended him as well knowing that the account was compromised at this point.

Yes, I made a mistake due to partial information on my part - we as a society are easy to give things out.  In this case not knowing about the account being compromised and the message "Send me your number..." starts out as hey I got a new phone and I want your number when you assume things.

Attached is the below string of events for your enjoyment.

Facebook Chat Message Evidence

Long story short, be always on alert and know that NO a friend cannot use your number to reset their account.