“Is my Facebook account being hacked?” That’s the question I had when I found a series of password-reset confirmation requests from Facebook in my inbox.
In fact, since I have two email addresses associated with my Facebook account, I had the same series of request in both inboxes.
Except I hadn’t requested a reset.
Let’s look at what happened, and how my preparations in securing my account kept me safe, so that you can do the same.
Become a Patron of Ask Leo! and go ad-free!
Was my Facebook account being hacked?
A series of Facebook password-reset notifications may or may not indicate that someone was actively attempting to hack my Facebook account.
My sense is that the more common reason unexpected password resets appear is that someone attempts to log in to Facebook with the wrong email address.
Not realizing they’ve typed in their own email address incorrectly, or not understanding that the email address they’re typing in isn’t theirs1, they then assume it’s the password that’s at fault, and they start the password-reset process. The real owner of the email address then gets the password-reset confirmation emails, which they dutifully, and appropriately, ignore.
But hacking – or rather an attempted hack – is certainly a possibility.
What it takes for a password reset hack to work
In order for the password-reset approach to work, the hacker needs access to the email account associated with the Facebook account. In other words, they somehow need to intercept the password-reset confirmation email message Facebook sends, and act on it. Once they do, they can reset the Facebook account password.
Typically that means the email account or accounts associated with the Facebook account have themselves already been hacked… though it’s not necessary. All the hacker really needs is access to the email messages sent to those email accounts. That could be done by anything from a compromised mail server (extremely unlikely2) to snooping in on an unencrypted open WiFi connection and watching the messages fly by.
And even then, there could be roadblocks.
Let’s look at a couple of ways you can secure your account.
Roadblock to hacking: two-factor authentication
In Facebooks’s Security Settings, I have on two options turned on: Login Approvals and Code Generator.
Essentially, Login Approvals is two-factor authentication.
The technique is very simple: when you log in to Facebook from a device you’ve never logged in from before3, Facebook requires you to enter a code (which is sent as a text to your phone) before it allows the login to succeed. The “Get codes” option allows you to plan ahead for when you have no phone or text coverage by procuring a set of 10 single-use codes to keep with you to use if needed.
If you don’t have the phone, or the codes, then you can’t log in, even if you have the correct password.
An additional option is the “Code Generator”.
When enabled, you can use the Facebook app on your smartphone to provide a security code whenever needed.
This also doesn’t require cell coverage; it simply means you need to have the phone in your possession and have previously installed, and be able to run, the Facebook app.
With these two options enabled, even if you have my password, you can’t log in to my account without having either my phone or a computer on which I’d previously logged in.
The same’s true for my email accounts, by the way. Two factor authentication is also enabled there.
But being who I am, I’ve taken things one level further.
As outlined in a post from Facebook last year, they are rolling out the ability to add a public key to your personal information. This key is used to encrypt the content of all email messages sent to you from Facebook.
My account happened to be one of the early recipients of this feature.
What this means is simply that even if a hacker had access to, or could intercept, the password-reset notifications sent to my email address, they would see only encrypted gibberish.
To: "Leo A. Notenboom" <********> Subject: Encrypted Notification from Facebook [**************] From: Facebook <firstname.lastname@example.org> This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156) . . . -----BEGIN PGP MESSAGE-----
hQEOA1yUoCGStLEEEAQAxgWbeCuqUp3ww+z2fkuglZGr8SX97DFlmlVml9tPyKhL x3seVmy7evu7+ljM7+B5J44CoWzTWqPhgbyC1SDhHP6+xwCvooqTHEitYMrmCEAO 4upBnUkICg632W8pQEfWwX/eQslasfRDMaexD5m+xqY935tNsHvGNHGB5hjGw3UD +wfRVbeqsMRplcuuQ/9z+beH25Amv0LLmhQLA9Tyl0P0z5tM3AN0UUO7Pn4vyrEf oq/5/c3xfYcui8iimxX5XMKv6o5s26akeVOgyuyW9n4YSzSe3qSF20kmAiJcTzjL cFhFXMsFgdieSAwkMWYmpmijEHMCZvgeT9yUikZ2jkIb0usBVqdEwYOK2UOK0qKI U6utgleTtumHq0bXlZUwMzLmp3nIwGc0hhbM6LYU2haTaqNt/we77HKXVd7wSywx
Without my private key, that message can’t be deciphered. In fact, all my Facebook email arrives this way, and it’s not until I decrypt it that I can tell whether it’s a post notification, a friend request, or a password-reset confirmation.
Needless to say, in this case it was the latter.
Even if they hack or intercept my email, without my private key, hackers can’t respond to the confirmation required to reset my password.
My recommendations to prevent your Facebook being hacked
Naturally, have a good password. That almost goes without saying these days, but sadly, report after report reminds us that we’re generally lazy when it comes to the passwords we choose. And to be clear, while a strong password is important for many reasons, if a hacker can manage to perform a password reset, your old password doesn’t really matter.
I strongly recommend turning on log-in approvals. It’s not much of a hassle at all, as long as you have the second factor (whether phone or codes) with you. They’re invoked only when you log in from a new browser or delete cookies – the rest of the time, you’ll never even realize the security measure is in place. (Seriously, I had to go double check to make sure I still had it turned on, it had been so long since I needed to provide a code.)
I actually don’t recommend pubic key encryption at this time, unless you are already very comfortable with the technique. The technology fascinates me, so I’ve been playing with it for a long time. Adding it was simple, for me.4 The downside is that I cannot read my Facebook notifications on my phone, as I don’t have the means to directly, or easily, decrypt encrypted messages there.