Help! Someone has hijacked my Facebook account and is posting nasty things about me. How can I regain control and get rid of the embarrassing lies?
A Anyone with malicious intent and a little bit of tech savvy has a frightening number of options at his disposal if he is interested in taking over a Facebook account. In 2010, Seattle software engineer Eric Butler developed Firesheep, a Firefox extension that made it easy to hijack unencrypted browsing sessions on a public network. For a time Firesheep made logging in to a social network in a coffee shop or library an open invitation to your private account for anyone who was looking.
According to Tim Armstrong, a malware researcher at Kaspersky Lab, Facebook now has default encryption built into its site, which should fend off Firesheepers, but he believes that recent updates to Facebook have opened up other modes of attack. “Facebook changed the layout of the site recently so that it prompts you to reveal where you went to high school, your family members, the town you live in; all this information that is almost a one-to-one with password-reset questions,” he says.
Armstrong thinks the oversharing that occurs in a typical Facebook profile makes it easy for others to research their way through the typical questions that are asked by either Facebook or on-line e-mail providers when you forget your password.
Then again, maybe you just forgot to log out when you used a public computer (another big vector for hijackers). Regardless, once somebody gets into your account, it’s a simple matter to change the password and lock you out, then post practically anything under your name. And if that isn’t bad enough, there is the potential for collateral damage through Facebook Connect, which uses your Facebook credentials to log in to other sites. So you’re going to want to act quickly.
Facebook knows this is a danger and has tools for remediation. The company suggests that anyone who suspects his account has been hacked go to facebook.com/hacked, where users can lock down their account, change the passwords of linked e-mail accounts, beef up account security, and generally repair any damage.
Frederic Wolens, a spokesman for Facebook, calls security an arms race. “Our teams are always working to identify the next threat and build defences for it,” he says. “Most of these defences are invisible to users, and although malicious actors are constantly attacking the site, what you see is actually a very small percentage of what’s attempted.” Facebook does, indeed, have a large team dedicated to improving the security of the site, but once you get that account back up and running, we’d still advise heeding Armstrong’s warnings about oversharing.