It’s 7:39 AM, I get a panicked message from a friend:
My Facebook just got hacked!!!
For the next two and half days it’s a frenzy of activity to contain, mitigate, restore, and analyze. Finally, coming up for air, we sit down and review what happened.
The prior evening and early morning of the hack, there was an increase of logon/logoff activity on the account from a multitude of IP addresses across the mid-United States. Because the account was not locked to authorized devices, this has gone unnoticed by the victim. Once the login password was established, the hacker(s) went to work, changing the login password, verification phone number, and account login/user id. What really helped the victim is that the email password and the Facebook passwords are (slightly) different, his facebook account was not linked to any other apps for login, and by some divine intervention, he tried logging in about 15 minutes after the compromise, which allowed us to secure the email account, financial accounts, and all other logons that are important. It then took us two days to recover the Facebook account by submitting proof of ID, creating a new email address, and seizing the account back from the perpetrators.
So how did this happen?
We previously posted about several high profile data breaches that resulted in reams on user data being available on the DarkWeb for anyone to procure and see. Reviewing this particular persons history revealed that
1) He was using the same email account to register for various sites that were then compromised
2) He was using a relatively simple password, and when changing it, maintained the overall password structure, adding an alphanumeric character or removing it here and there
3) His password changes formed a pattern that allowed to quickly guess what the other variations may be
4) He had a key-logger malware on his work system that he used to access Facebook
With this information at hand, the attacker(s) were able to attack the victims Facebook account trying to use it as a staging platform for further compromises.
As mentioned above, the impact was minimized by rapid response and some basic controls that were in place. However, the attacker was able to get the victims contact list, so we sent out a notice to all contacts to be on the lookout for potential phishing/social engineering attacks.
So how can this be avoided, or at least minimized?
1) Realize that platforms like Facebook, Google, iCloud, and Office365 are your core access modes for everything you do
2) Follow the latest NIST guidance for password security: at least 12 characters, preferably a phrase, keep the punctuation/spacing
3) enable multi-factor authentication across all platforms (it’s FREE)
4) lock access to your core accounts to certain devices (like a home desktop/laptop and a mobile device)
5) DO NOT USE YOUR WORK SYSTEMS FOR PERSONAL ACCESS
Feel free to reach out if you have further questions on the matter, until the next time…