“Is my Facebook account being hacked?” That’s the question I had when I found a series of password-reset confirmation requests from Facebook in my inbox.
In fact, since I have two email addresses associated with my Facebook account, I had the same series of request in both inboxes.
Except I hadn’t requested a reset.
Let’s look at what happened, and how my preparations in securing my account kept me safe, so that you can do the same.
Become a Patron of Ask Leo! and go ad-free!
Was my Facebook account being hacked?
A series of Facebook password-reset notifications may or may not indicate that someone was actively attempting to hack my Facebook account.
My sense is that the more common reason unexpected password resets appear is that someone attempts to log in to Facebook with the wrong email address.
Not realizing they’ve typed in their own email address incorrectly, or not understanding that the email address they’re typing in isn’t theirs1, they then assume it’s the password that’s at fault, and they start the password-reset process. The real owner of the email address then gets the password-reset confirmation emails, which they dutifully, and appropriately, ignore.
But hacking – or rather an attempted hack – is certainly a possibility.
What it takes for a password reset hack to work
In order for the password-reset approach to work, the hacker needs access to the email account associated with the Facebook account. In other words, they somehow need to intercept the password-reset confirmation email message Facebook sends, and act on it. Once they do, they can reset the Facebook account password.
Typically that means the email account or accounts associated with the Facebook account have themselves already been hacked… though it’s not necessary. All the hacker really needs is access to the email messages sent to those email accounts. That could be done by anything from a compromised mail server (extremely unlikely2) to snooping in on an unencrypted open WiFi connection and watching the messages fly by.
And even then, there could be roadblocks.
Let’s look at a couple of ways you can secure your account.
Roadblock to hacking: two-factor authentication
In Facebooks’s Security Settings, I have on two options turned on: Login Approvals and Code Generator.
Login Approvals
Essentially, Login Approvals is two-factor authentication.
The technique is very simple: when you log in to Facebook from a device you’ve never logged in from before3, Facebook requires you to enter a code (which is sent as a text to your phone) before it allows the login to succeed. The “Get codes” option allows you to plan ahead for when you have no phone or text coverage by procuring a set of 10 single-use codes to keep with you to use if needed.
If you don’t have the phone, or the codes, then you can’t log in, even if you have the correct password.
Code Generator
An additional option is the “Code Generator”.
When enabled, you can use the Facebook app on your smartphone to provide a security code whenever needed.
This also doesn’t require cell coverage; it simply means you need to have the phone in your possession and have previously installed, and be able to run, the Facebook app.
With these two options enabled, even if you have my password, you can’t log in to my account without having either my phone or a computer on which I’d previously logged in.
The same’s true for my email accounts, by the way. Two factor authentication is also enabled there.
But being who I am, I’ve taken things one level further.
Encrypted email
As outlined in a post from Facebook last year, they are rolling out the ability to add a public key to your personal information. This key is used to encrypt the content of all email messages sent to you from Facebook.
My account happened to be one of the early recipients of this feature.
What this means is simply that even if a hacker had access to, or could intercept, the password-reset notifications sent to my email address, they would see only encrypted gibberish.
To: "Leo A. Notenboom" <********> Subject: Encrypted Notification from Facebook [**************] From: Facebook <noreply@facebookmail.com> This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156) . . . -----BEGIN PGP MESSAGE-----
hQEOA1yUoCGStLEEEAQAxgWbeCuqUp3ww+z2fkuglZGr8SX97DFlmlVml9tPyKhL x3seVmy7evu7+ljM7+B5J44CoWzTWqPhgbyC1SDhHP6+xwCvooqTHEitYMrmCEAO 4upBnUkICg632W8pQEfWwX/eQslasfRDMaexD5m+xqY935tNsHvGNHGB5hjGw3UD +wfRVbeqsMRplcuuQ/9z+beH25Amv0LLmhQLA9Tyl0P0z5tM3AN0UUO7Pn4vyrEf oq/5/c3xfYcui8iimxX5XMKv6o5s26akeVOgyuyW9n4YSzSe3qSF20kmAiJcTzjL cFhFXMsFgdieSAwkMWYmpmijEHMCZvgeT9yUikZ2jkIb0usBVqdEwYOK2UOK0qKI U6utgleTtumHq0bXlZUwMzLmp3nIwGc0hhbM6LYU2haTaqNt/we77HKXVd7wSywx
Without my private key, that message can’t be deciphered. In fact, all my Facebook email arrives this way, and it’s not until I decrypt it that I can tell whether it’s a post notification, a friend request, or a password-reset confirmation.
Needless to say, in this case it was the latter.
Even if they hack or intercept my email, without my private key, hackers can’t respond to the confirmation required to reset my password.
My recommendations to prevent your Facebook being hacked
Naturally, have a good password. That almost goes without saying these days, but sadly, report after report reminds us that we’re generally lazy when it comes to the passwords we choose. And to be clear, while a strong password is important for many reasons, if a hacker can manage to perform a password reset, your old password doesn’t really matter.
I strongly recommend turning on log-in approvals. It’s not much of a hassle at all, as long as you have the second factor (whether phone or codes) with you. They’re invoked only when you log in from a new browser or delete cookies – the rest of the time, you’ll never even realize the security measure is in place. (Seriously, I had to go double check to make sure I still had it turned on, it had been so long since I needed to provide a code.)
I actually don’t recommend pubic key encryption at this time, unless you are already very comfortable with the technique. The technology fascinates me, so I’ve been playing with it for a long time. Adding it was simple, for me.4 The downside is that I cannot read my Facebook notifications on my phone, as I don’t have the means to directly, or easily, decrypt encrypted messages there.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
“They’re invoked only when you log in from a new browser or delete cookies” WHAT????
i can delete cookies in FB?
It’s actually that Facebook sets cookies on your computer. If you delete your computer’s cookies then Facebook won’t know who you are. Same thing with a different browser. Until Facebook’s cookies get set for the new browser Facebook won’t know who you are.
You don’t delete cookies “in” Facebook. You delete cookies in the browser you use to access Facebook.
Except that the Facebook cookie is deleted when you log out.
1. My 30-Days has gone by after my “free” Windows 10 download (from Win 7), which I did accomplish. Now, and only now, my scanner stopped working. I also wonder if any of my other Win 7 working applications will malfunction, now (as I try to use them). Is the Win 7 compatability gone?
2. I had trouble entering my now Windows 10 system. Once I realized that I had just forgotten a capital letter, I decided to reset my Microsoft Account-Windows 10 password. I tried several methods, before I realized how to get it done. The next day, as I opened my machine, a menu called Password Reset Wizard popped up. So, I used it, made a password reset disk, and stored it away. Now, I am wondering if it was a hack, to assist someone to learn my password. So, I changed my password again and ran a scan. It found a Trojan, which my Win Defender caught and quarantined. Maybe unrelated–maybe not? What do you think.
Windows 10 has otherwise been relatively painless, although I did need to update my graphics card to use my dual screen set-up from Win 7.
Leo – very informative article about Facebook. Thank you. Five times in the past four months I’ve had an email from Facebook that someone is trying to sign into my account from a location 30 miles away. “Was it you? If not, change your password” etc. – which I’ve done.
After the last three incidents I asked Facebook to give me the IP address used to log in but they won’t. If they do, I’ll contact our local ‘cyber-crime’ police unit. My friends and family say not to worry, it happens all the time, just ignore it.
Should I just ignore it please?
Taffy from Outlane UK
If the “person” trying to log on has an IP address indicating it’s 30 miles from you, it’s very possible and probably even likely that that login attempt is yours. IP addresses off by 30 miles are very common. It may be that you removed a cookie from your machine or logged on from a different device.
I would ignore it. Ultimately that’s what I did.
How can I verify my Facebook?
You’re not going to like my answer which is: You have to read the instructions.
I turn on Two factor Authentication . But , two days ago , I got a text messages from fb “Your One time password is Bla Bla ” 3times . I bet that someone is trying to hack me but I feel like “I have two factor I don’t need to worry ” Unfortunately , when I checked login history, I found “Mac on chrome ” :’)
I’m currently using Huawei P20 . I dont have any Apple devices at all .I set strong password too using ” !?@+ “. How could that be :’)
Can u advice me something plz sir ?
How am I supposed to do to be more secure my Facebook Account !
In your shoes I’d change my password (make it secure, of course) and carry on. With two-factor you should be safe.
Hi Leo, I recently had a similar experience to Kaung Set. After receiving and ignoring password reset emails I received a text saying “get back onto Facebook by clicking…” which I also ignored. Then I received an email from Facebook saying “Your Facebook account was recently logged into using a confirmation code and the phone number …(my correct phone number)” in Firefox on Linux (I don’t use Linux) I didn’t press any links in case it wasn’t genuine and logged into Facebook and sure enough it said I was also logged on in Firefox on Linux at an unknown ip address. Of course I changed my password straight away but is there any way my text messages or whole phone are also compromised? How else would they have been able to log in via the phone confirmation code? Several anti-virus scans on my phone revealed nothing but I have since performed a factory reset. IJ
Honestly I don’t know. I’d be tempted to contact the mobile provider for any clues that they can provide. I agree it’s concerning. Do you by any chance have an app on your computer that allows you to send and receive texts via your phone? That’s another potential point of compromise.
Thanks for the reply Leo, I will get in touch with my mobile network provider. I don’t have any such applications on my computer. One other clue I found was that the unknown login came from an IP address on the same mobile network as my phone in the same geographical area, but the operating system and browser are both different. This might just be a coincidence.