It has been claimed that criminals can hack into your Facebook account by doing one simple thing – finding out your old phone number.
Facebook allows you to reset your password if you have forgotten it. You do this by entering your phone number in order to be sent a code that allows you to reset it.
The problem comes when you have a new number and have failed to unlink your old phone number from your account. In this case criminals could use Facebook’s security system to gain access to your profile.
This was proved to work by independent programmer James Martindale by hacking a few Facebook accounts himself. In the post he wrote for “Medium” he admitted that he hacked several accounts without knowing the person, touching their stuff and being anywhere physically close to them.
James Martindale accessed a stranger’s account by simply tying in one of his old phone numbers, which are often recycled and handed to new owners when they fall out of use.
“I knew Facebook by default lets people find your account with your phone number, so I typed the number into the search bar and see what came up. A single account. I opened Facebook in an Incognito tab in Chrome, and attempted to sign in with the phone number as the username and a bogus password.
Of course it didn’t work. So I clicked on Forgot your password. The recovery options with the completely visible [until I censored it] phone number was the one I entered. Facebook texts me a code, I enter it, and I’m logged in.”
The only thing the hacker has to hope for is that the person who used to own the phone number has not updated their Facebook profile. However in most cases users do not update their phone numbers and Facebook never encourages you to update this detail.
To prove that most users do not update their phone numbers Martindale attempted to hack another account and it worked again and again.
In a statement provided to The Register, Facebook said: “Several online services allow people to use phone numbers to recover their accounts.We encourage people to only list current phone numbers, and if we detect the password recovery attempt as ‘suspicious’ we may prompt the person for more information.”
The best way to protect yourself then is by removing any old information associated with your account, and this should be done for all online accounts as well as Facebook.