How Hackers Hack Facebook Accounts (And How To Be Safe Online): 4 Common Ways To Hack Facebook Account

Reymarck Esaguirre
9 min readDec 1, 2021

--

You don't happen to store your secrets in your Facebook account, do you?

Facebook. Ah, the biggest social network. The godfather of all social media sites. Who doesn't have a Facebook account these days?

Statista reports that Facebook is the biggest social network worldwide, with monthly active users of 2.91 billion. That is about 30% of the world population. It is almost about the population of all China, India, and Russia, combined! Facebook is not to mess with!

But the beauty of such service does not come cost-free. Not only does Facebook owns the biggest network of people, it is also one of the most frequent sites to get hacked. And with your data, such as private messages, can be found on Meta products, it is no wonder why hackers target these accounts.

Here are some common ways that hackers get access to your Facebook account, and how to keep yourself safe.

1. Be Careful Against Phishing/Social Engineering

Attack Method: Phising/Social Engineering

According to Mitnick Securities, social engineering is still the most common attack method there is. Humans are the best exploits as we can not be easily "patched" unlike softwares. And with Facebook hacking, humans are still the number one attack vector for the hacker.

Phishing masks as the real website.

Phishing works by making an attacker website look as legitimate as it can. It tries to mask itself as the real Facebook.com, from the domain name down to the html itself. Some would usually copy the real service's page source and would paste it in their site. On a non-techy's eyes, the attacker's page would look legit.

Because the victim is not on the actual Facebook.com, and instead is on attacker.com, all of the credentials that they enter will go to the attacker. This allows the hacker to know what your email and password is.

An example of a website pretending to be facebook.com (take note of the suspicious URL)

Defense against it:

Check for the URL of the page, especially if you just got the link from an unknown source. Does the URL have some mispelling in it? If it does, stay away from it. Check for confusing spelling such as "facebaok.com" or "faceb0ok.com", and stay away from those. Here is a full list of all Facebook domains. If it isn't on the list, try to avoid it.

Facebook will never make a link outside its domain. So it will not make domains like "Facebooksecuritysupport.com" or "facebook.com.fbtechsupport.com". Usually, Facebook will use subdomains like developers.facebook.com, which is a legitimate Facebook domain. So check if the link you used is from Facebook.com or *.facebook.com (* can be anything), if it isn't, stay away from it.

Do not open links from unknown sources. Even if the URL does not alarm you, there are still possibilities of phishing. An example of this is when Facebook have a subdomain takeover vulnerability.

Subdomain takeover

A subdomain takeover works when an attacker registers a subdomain, pretending to be the actual service. This makes phishing even worse as it takes advantage of the real website's credibility on the domain name. Check this article for more info on a Facebook subdomain takeover vulnerability.

However, you can still avoid this by not clicking on links that you just receive from someone unknown or untrustworthy. And never enter your credentials to such things.

2. Watch out for Keyloggers!

Attack method: Keyloggers

This one is different. Unlike Phishing which steals your credentials when you send it to the wrong service, keyloggers steals your passwords as you type them, no matter where you typed them.

Keylogger is a piece of software (or hardware) that listens and logs all your keystrokes, and sends them to the attacker via the Internet. This log might contain not only your social media password, but also your banking credentials, and other private information.

Defense against it:

Use a password manager. A good password manager will not be vulnerable to such attacks as a keylogger works by listening to the keyboard. But because password managers doesn't let you type your passwords, you are safe from keyloggers.

Usually, if the malware is only a keylogger and does not contain other malicious scripts (such as remote administration tools that let the attacker control your pc from other parts of the world), then a password manager is one of the best help you can have against these malwares.

You can also run an anti-virus scan. While there is no guarantee that scanners can catch all of the malwares on your computer (especially those well-crafted ones), it is worth using an updated anti-virus scanner to scan.

Since keylogger is a malicious software that has to be installed in your computer, I would also advise not to download files from unknown sources. Just like with phishing above, avoiding to click on suspicious links could be your best defense against keyloggers and most types of malware.

3. Stored Passwords

Attack method: Hacking Password Managers

Alright, I know, I know. I just advised you to use a password manager to combat keyloggers, and now, I am trying to warn you against them. But hey! Hackers always find their way, and if that means hacking a piece of software that stores your password, they will find their way.

Password Managers are great, don't let other people touch your vault, though

There are password managers that store passwords locally. And this excites hackers as all they need now is to access your computer and find where the password manager stored your passwords.

But password managers that store passwords on the cloud is also vulnerable to such attack. When the service you use got hacked (which happens as well), then, your passwords might be compromised as well.

Defense against it:

On the Password Manager Service side

First, take note that this should not discourage you from using password managers. The attacks that happen on major password managers are mostly because it is just impossible to create a 100% hack-proof software. But that said, password managers are usually prepared for such situations.

Take a look at this example from LastPass. A few years ago, the security team at LastPass took notice of an unusual, suspicious, traffic. They immediately got suspicious, and according to this article, their team implemented a two-step verification for all of their users within an hour of the breach. You can read their full article for more information on the topic.

On the User

Always put your favorite password manager up to date. Each time a company fixes a vulnerability, they always release a new update with bugs patched. So remember to keep your managers updated.

But like other advices I gave, I will always say, careful with that link! These attacks on stored password managers happen if the attacker can get their hands on your computer. Which can happen if you download malwares. You don't want others to use your computer! So stop clicking on suspicious links.

4. Be Alert for Databreaches

Attack method: Buying stolen username and password hashes

A databreach is a security breach that steals/compromises stored information on a database. This is something different as oppose to the others. Most of the defense here isn't actually on the victim's hands. The database that stores their credentials is not to be secured by the victim, but by the developers, obviously.

Databreach is a common occurrence. It is a problem for developers and security engineers as many people tries to break into their database and steal credentials and other user data.

According to The Private Clearinghouse, there has been 9,000+ data breaches since 2005 (The Private Clearinghouse, via PolitiFact). Billions of credentials, credit card info, and different ID's, have been stolen.

So how do you protect yourself against this?

Defense Against It:

Hashes and Strong Passwords

As I have said, the customer does not have the controls against data breaches. But there is something that the customer can do to protect themself.

When the password is stored in a database, if the service does their job well, it does not store the actual password string. What it saves in the db is an encrypted version of the password. This is the last line of defense that the developers have against breaches.

Hashes, like MD5, SHA-256. and AES-128, etc., is used by the devs to make a hashed version of the password. These kinds of hashes are hard to crack, especially when the password is a strong one.

When the bad guys are trying to get your login information, they will try to crack the password. Weaker passwords like "123456Seven" is easier to crack. But stronger ones can take up to years and decade, depending on the "cracking" ability of the criminals.

So the biggest defense you have is to have a really strong password. Use upper and lower case letters interchangeably. Replace some letters with numbers and special characters like $#%@&?!. A password like "k1lLj0¥" is much harder to crack than "passwordpasswordpassword123321".

But some security researchers advise to not use a password, but a "passphrase". Words like "anya123" is weaker than a phrase like "anyataylorjoyisthebestactressinhollywood". Replacing some of the letters in that with numbers and special characters, and you have yourself a strong, easy to remember, password that will take hackers years to crack.

Have I Been Pwned and Changing Passwords

www.haveibeenpwned.com

There is a popular service called haveibeenpwned by Troy Hunt. This service lets you input your email address, and it will go through different data breaches. It will then tell you if your credentials has been compromised in a data breach.

This is a good resource to see if your account has been compromise. When it is, I advise that you change passwords right away. If you didn't, then your credentials would most probably be getting auctioned on the dark web right now for $3.

On changing your passwords, consider the following:

  1. Use a recommendation by your password manager, as they generate random strings of characters that doesn't make sense like "kd32Ds5Ow$%s/".
  2. Use a passphrase, instead of a password. Random phrases like "The Sun is going to die in 5 billion year$" is still better than "Curry#30".
  3. Do not use a passphrase that can be deduced to your personality like "I love Anya Taylor Joy m0v13s" or "I live in Man1la".
  4. Do not use the same password on different websites. This will try to contain the hack on one website only and will not affect others.
  5. Do not write your passphrase on a random piece of paper. If you need to remember it, at least do not complete it. If your passphrase is "queen's gambit are great", and you need to remember it, try writing "queen’s gambit" instead. You only need a reminder, not the whole thing. Once you read a part of the phrase, you can remember the rest.

No System Is Safe

You can not make a 100% invinsible system. There will always be a flaw, there will always be a way "in"; no system is safe. Either one of your devices is vulnerable, or the service you used has the vulnerability. No one is safe. Not even NASA or the FBI (read this).

Your best weapon is beyond what I have told you so far. While we can't always be sure of our safety on cyberspace, we can do something to minimize the damage. If the hacker can find a way to get in, just make sure he can not see anything. Do not store your secrets online. Do not use Facebook to talk about something dark secret. If the burglar can get in, at least make their entry useless by not having something worth stealing, like your secrets.

This advise protects you from the damage the hacker can do after breaking in. While the other advises I gave are meant to make the process of breaking in hard enough that the hackers just give up.

All in all, this is how you hack a Facebook account (and how to protect yourself). These methods have defenses that our security researchers are trying to come up on. And remember that while no system is safe, it is still better to have some defense against the cybercriminals. Have fun surfing, and be safe!

--

--