Tech by VICE

How a Hacker Got Facebook to Let Him Take Over Someone Else’s Account

Aaron Thompson lost control of his Facebook account after an attacker used social engineering and a fake passport.

by Lorenzo Franceschi-Bicchierai
Jun 28 2016, 5:36pm

Image: gpointstudio/Shutterstock

Who needs sophisticated hacking exploits and tricks to break into someone else's Facebook account when you can just ask to be let in?

On Monday, Aaron Thompson, a 23-year-old from Pontiac, Michigan, noticed that he couldn't log into his own Facebook account and that the email and phone numbers associated with his account had been changed. That's when, as he told me, he "panicked for a bit."

At that point, he checked his email and figured out what was happening. Sitting in his inbox, there was an email chain between Facebook's customer support and the hacker who had gotten control of his account.

"Hi. I don't have anymore access on my mobile phone number. Kindly turn off code generator and login approval from my account. Thanks," the hacker, posing as Thompson and pretending to have lost access to the phone linked to the account, told Facebook.

Facebook's automated response informed the hacker that if he couldn't get in by using Code Generator (part of Facebook's two-factor authentication system) the only other way was to send a photo ID to prove this was really Aaron Thompson.

The hacker then sent what looks like a scanned photo of a fake passport. None of the details in the passport, other than the name, are accurate, according to Thompson.

A redacted copy of the fake passport the hacker sent to Facebook.

But that was enough to convince Facebook's customer support to disable all the security mechanisms on Thompson's account and give the hacker control.

"Thanks for verifying your identity. You should now be able to log into your account," a Facebook support employee wrote in an email, which Thompson shared with Motherboard. "We've also turned off login approvals to help prevent you from getting locked out of your account again in the future."

At that point, Thompson tried to get his account back, telling Facebook that the person who sent the passport and requested the security features to be disabled wasn't really him.

Thompson told me that he felt "pretty devastated" about what had happened. He said that he has a series of pages on Facebook, such as One Million Gamers, which combined have several million likes so losing them was tantamount to losing his main source of income.

That's why Thompson is convinced that the hacker or hackers' motivations must have been to monetize his Facebook business pages. While in control of the account, however, the hacker apparently only sent messages to a few of his friends, including a picture of genitals to Thompson's girlfriend, asking her for nudes and calling her a "whore," Thompson said.

"Accepting this ID was a mistake that violated our own internal policies and this case is not the norm."

For almost a day, however, Thompson wasn't able to get back into his account. Out of frustration, he wrote about his experience on Reddit, in a thread titled: "[Today I Learned] that someone can change your Facebook email, password, and two step verification just by asking Facebook to turn off login approvals, and sending in a fake ID."

On Tuesday morning, after I reached out to Facebook about the incident, a spokesperson told me that the company had secured Thompson's accounts and pages, and they were working to reestablish his regular access.

"Accepting this ID was a mistake that violated our own internal policies and this case is not the norm," the spokesperson said.

So this story ends well, but it's a great reminder that no matter how many security measures you put on your online accounts, humans are still the weakest link. It doesn't matter if you have two-factor authentication and other modern security measures if a hacker can call up or email the service provider and convince a customer support employee to simply turn them off.