In this insightful and educative post, I’ll share with you the 7 most successful methods to hack a Facebook account password, why it works, and of course how to prevent it from happening to you.
Keep in mind that these attacks outlined here will work NOT ONLY for Facebook but also for ANY other online account out there. Facebook is only used as a case study.
“If you know how hackers are compromising systems and online accounts, you’ll be better informed and prepared to prevent it from happening to you” – Ojo Iszy.
Disclaimer: Information shared in this article is for educational purposes. So that people can be aware of how hacking works and how to protect themselves. Please don’t use these techniques for malicious purposes. I’ll not be held responsible for your actions.
Phishing attacks are cybercriminals’ most successful hacking technique and therefore the most commonly used type of attack vector.
Phishing attacks against Facebook accounts are so common that if your Facebook password was ever stolen, the first question you should ask yourself should be, “when was I phished?”
This will help you diagnose how much more of your other online accounts are at risk because Cyber crooks are devious. If they succeed in phishing you on one account they now know you are easy prey and they proceed to phish you on other online accounts.
They may probably phish you on your email account next, or simply re-use that first password they got and see which of your other accounts pop.
How to hack Facebook using Phishing attacks
Albeit very successful, a phishing attack is not an easy one to set up or pull off. The attacker needs to have some level of technical know-how and some Social Engineering skills to be able to entice their victim on to the phishing trap. But it is relatively very inexpensive to set up when compared to other attack methods.
1. First, the attacker needs to create and host a fake Facebook login page where the victim will input their username and password.
This fake page is usually an EXACT replica or clone of the original Facebook login page and it’s done in order to trick the victim into believing they are logging in to their Facebook accounts.
2. Secondly, they need to register a domain name that resembles the original and correct “www.facebook.com” domain name.
In the past attackers used to register look-alike or doppelganger domains names like “www.faceboook.com” (notice the triple (“O’s”) or “www.facebool.com”. All those have been cramped down on because the FBI, domain registrars and sometimes Facebook, regularly shut those down.
A recent and more disturbingly clever approach attackers have adopted is registering a single domain name and then using relevant sub-domain names for the different websites (e.g Facebook) they want to go after.
An example, in this case, would be something like “www.facebook.com.signin-evilsite.ru”. Or something else like “www.signin.facebook.com.account.badsite.com”. Or whatever they choose to use.
“Evilstie.ru” and “Badsite.com” in these examples are the domain names registered to the attacker. The “facebook.com.signin” and the signin.facebook.com.account” part are the sub-domains that deceive the victim to think they are actually logging in to Facebook.
3. Thirdly, the attacker thinks up a delivery method (Social Engineering), finds a victim and executes the phish.
This is where the attacker’s Social Engineering skills come into play. He may come under any pretext, but the aim is to get the link of the phishing page to his victim. And depending upon the Attacker’s pretext he may be sending a link to the phishing page either via an email or on Facebook Messenger after chatting for a while with the victim.
Whatever the delivery method or pretext (the fake reason to use that phishing link) the attacker chooses to use, once the victim enters their Facebook credentials – username and password – they go straight to the attacker where he is waiting to harvest them.
Sadly, this works all the time because people are not educated about this kind of attack methods and that is the reason for this post – to draw public attention to things like this.
How to Prevent Falling for a Facebook Phishing Scam
Whatever the method a malicious hacker trying to phish you is going to reach you, in the end, you’ll be redirected through a LINK to a fake website they control.
In that case, the absolute best way to detect that a website is a phishing scam targeting your Facebook account password is to watch out for the URL in your browser address bar.
1. Is that website that is asking for your Facebook password truly “https://facebook.com/”? (Notice the trailing slash, “ / ” ).
Anything can go in-between “https://” and “facebook.com/”. Sometimes it could be “www”, “web”, “m”, “free”. E.g https://web.facebook.com/. These are legitimate and should be trusted because it is not possible to spoof an existing domain name (in this case, Facebook.com).
But if you ever see “Facebook.com” or “Facebook” (or any variant) becoming a subdomain of another domain in this manner. E.g https://facebooklogin.somesite.com/ and that page has a login form, it’s a phishing site.
2. Generally, you shouldn’t be clicking on links through emails. If a link tells you to sign in to Facebook, be wary of such links. As a rule, I personally never click on links from emails. Except this is an email I’m expecting, like a password reset email. What I do is to open a new tab, and go to the website directly.
3. Sometimes a hacker may entice you to a link that promises you a Facebook feature, like, who viewed your profile. They may not immediately present you with the sign in form that would steal your password. But after a few seconds, through techniques that abuse your browser, you may then receive that form and get hacked. (see more on #6 below).
2. Facebook Password Reset (using Social Engineering)
Resetting the passwords to a user’s Facebook account is yet another way to hack and get easy access into that account.
This is usually very successful especially when the attacker is a close contact or friend of the victim or can some way or the other lay hands on the personal information of the victim necessary to successfully reset the passwords.
But keep in mind that an attacker armed with social Engineering skills can hack the Facebook account of his victim from halfway across the planet, without even knowing their victim’s name in the beginning.
How Facebook passwords are being hacked using password reset
Successfully resetting a Facebook account password requires you to have access to only one of the following:
- 1. The mobile number associated with the Facebook account.
- 2. The email address associated with the Facebook account.
- 3. A copy of the Facebook account holder’s ID.
Historically, Facebook used to allow resetting the password to an account by simply answering security questions set on that account. But now they ask you to provide a copy of your ID when you can no longer access either the email or phone number associated with your account.
While all the above three options may be good ways to prove your identity as the true owner, they can be a very easy means for an attacker to get into someone’s Facebook account using Social Engineering techniques.
A recent tactic used by cyber crooks is that they go on the Facebook website and reset the password of your Facebook account using the phone number option. This would then prompt Facebook to send you a password reset code.
Immediately that code arrives, you’ll receive a call from someone (always a female) pretending to be the previous owner of that mobile number, begging and pleading for you to send back to them “a certain code” they were sending or have sent to you on that number.
This attack type is the voice form of phishing known as Vishing.
(Let me know in the comments if you have received such calls before and what you did).
I need not tell you what follows after you do that, right?
You just forwarded the code to reset your Facebook account to that attacker.
Below is a screenshot of a classic case of that type of social Engineering happening via text messages.
Late last year and early this year, I have gotten two of these type of calls requesting me to send back a code I would receive shortly on my phone. Do you want to know what I did? Of course, I gave them the correct codes. But it was the correct code to another password reset message that I may receive in the future. 🙂 I kept on giving the lady a 6-digit code I was formulating from my head until they got it that I knew what was going on and that I was messing with them.
Furthermore, there is an innumerable number of pretexts an attacker could use to get a copy of the ID card of their victim, which they could then use to “confirm their identity” when resetting a victim’s Facebook account password.
For example, a skilled social engineer can get the documents including all forms of ID’s of many unsuspecting victims by running a scam campaign that promises to give them a job. And part of the requirements would be to send scanned copies of their documents to the fake online company which the attacker operates.
Now the attacker could then use these scanned copies of their IDs to reset the passwords of those whom he thinks their Facebook accounts are worth looking into.
How to prevent falling for a Facebook password reset hack
For a social Engineering attack to be successful, malicious hackers have to be able to lay hands on some of your vital personal information and documents relevant to the attack. Usually, the more information they have about you, the higher the success rate.
1. “Polite paranoia” can help you prevent social engineering attacks like the phone call (vishing) type I described above. To learn how I will turn you over to the best female Social Engineer – Rachel Tobac – I know in the industry to explain that.
2. Hide sensitive information about yourself from your Facebook profile. E.g set the privacy of the email address on your Facebook profile to “only me” can see it.
3. Always be wary of sending documents bearing your private information to any entity or “company” on the internet. Once your important documents have been stolen, it’s out there for life. They could be used for far more nefarious purposes than just steal or hack your Facebook account.
4. Answer your security questions incorrectly! Don’t make the answer to your security questions something someone can easily look up on your Facebook profile or guess intelligently.
E.g the answer to the security question “what is the name of the city you were born?” is something attackers can easily research and find out.
So always answer such questions incorrectly. If you are concerned that you may forget the answer, write it on a secure online note, that is what password managers are there for.
3. SIM Swap Attack
Amongst others, SIM swap attack is the most devious and nefarious method to hack Facebook account password – or any other online account password – in my opinion. It’s so nefarious I don’t even want to think about it.
SIM swap attack is a form of identity theft in which an attacker convinces or tricks a cell phone carrier into switching the phone number of their victim to a new phone number the attacker owns.
The attacker does this in other to divert the SMS text messages containing One-Time Passwords (OTP) that are usually sent to the phone number when doing things like; resetting a social media account password, carrying out a banking transaction, etc.
How to prevent falling for a SIM Swap fraud
There is really not much one can do if you are targeted by SIM swappers but there are some precautions that can definitely help.
- 1. Do not link your phone number to your Facebook account, instead use only email as a recovery option.
- 2. Use two factor authentication for your Facebook account that is not based on SMS for receiving the codes.
- 3. Keep personal information for protecting your Facebook account private to only you on your profile.
Keylogging is a plain nefarious way of stealing or hacking not only a Facebook password but any other password. As well as sensitive information which includes but not limited to credit card information, SSN, etc.
There may be some good reason for using it, probably to monitor what your children are doing online or to catch a cheating spouse but it’s just so scary when I think of its capability and how it works.
There are basically two types of Keyloggers – software and hardware. The Software keylogger can be installed on the victim’s computer remotely while the hardware keyloggers, like you may have guessed, needs to be used on the victim’s device physically.
How Keyloggers can be used to hack your Facebook account password
A keylogger is a program that records EVERY keystroke a user types using the keyboard of their computer, most often without their knowledge.
After the program has been installed on the computer, which could be remotely (software), or by plugging into one of the computer’s USB ports (hardware), the keylogger starts to listen for and capture keystrokes undetected in the background.
Thereafter, the captured keystrokes are sent to the attacker via email hourly or daily depending upon the frequency he has set to receive the captured keystrokes. Or the attacker could go to retrieve the keylogging device in the case of a hardware type.
Now for stealing a Facebook account with a software keylogger, what an attacker could do is bind a keylogger executable with a legitimate executable and send it off to the victim.
Upon installation of this innocuous-looking executable, the keylogger is activated and would run at startup of the computer as long as the program is installed. And many times, antivirus’ will not detect this keylogging activity.
This is just one example, there are MANY other ways a skilled attacker could go about this though. So keep that in mind.
How to protect your online accounts from keylogging
One of the places you will most definitely find a keylogger installed by a malicious person is on a public computer, like in a Cafe.
In such a situation, no matter how strong and secure of a password you use, your accounts you logged into on that computer are at great risk.
1. Never trust a public computer. In fact, I recommend never using a public computer. If you must use one when you are about to log in to any account, use an On-Screen keyboard. Some banks who are serious with security, restrict users to only log in to their online banking accounts using an on-screen keyboard.
2. Use a password manager. Keyloggers cannot capture what you did not type. A password manager can help you fill in passwords and online forms like credit card data without you having to type in anything.
3. Use an antivirus program. If you are on Windows computer, ensure you turn on and update your built-in Windows Defender. It has gotten better at catching some of these malicious programs.
5. Fake WiFi HotSpot
Setting up a Fake WiFi HotSpot is another disturbingly clever but lesser-known way to not only hack Facebook account passwords, but also other passwords to important online accounts like Gmail.
All an attacker needs to pull this off is a cheap pocketable Raspberry Pi computer, a Wireless Network Adapter, a free open-source WiFi hacking program, and a crowded place with lots of people who would connect to “Free WiFi”.
People love free WiFi and they connect indiscriminately whenever they find one.
Hackers know this and that’s the reason why the tools for doing this type of WiFi hacking have been so improved upon and perfected over the years.
It’s imperative to note here that WiFi hacking as an aspect of the general hacking, is a huge topic on its own. There many ways to hack someone over a WiFi network (e.g Man in the Middle attacks) but the Fake WiFi HotSpot method which is just a small part of it, is going to be our focus here.
How a Fake WiFi HotSpot can be used to hack your Facebook account?
The Fake WiFi HotSpot attack works exactly the same as the classical phishing method we described in #1, but only that this time it is being implemented via WiFi.
All the attacker needs to do is set up a Fake WiFi HotSpot or Access point that is free but requires you to log in before you can get network connectivity. More like the type of enterprise WiFi you have in Hotels and Universities and Airports.
Now, instead of a login page where you’d have to input something like your Hotel room number or student ID as the username and a password they’ll generate for you, you’ll get the classic “Log in using Facebook” page (screenshot below).
What’s more, this is not only limited to Facebook, you can create a customized page for any social media website of your choice.
As I earlier said, these tools have been so perfected that even if a victim suspected foul play and tried to input a wrong set of Facebook credentials just to test, the tool checks for correctness on the backend by actually trying to log in on Facebook with those credentials.
What’s left is for the attacker to package this nifty tool inside the inexpensive Raspberry Pi computer we talked about earlier – again this is just for sake of portability and inconspicuousness – and then take it at to a place with many people who would connect to this “Free WiFi”.
How to prevent falling for a Fake WiFi HotSpot attack
I guess this one is pretty obvious. If you don’t want your Facebook account to be hacked, you should never “log in with Facebook” on any website that is not Facebook.
As a matter of fact, I tell my friends if you’re feeling too lazy or for some reason cannot create an account for a website you are interested in, don’t use the seemingly easy option of “Sign in with Facebook” or “Sign in with Google”.
This is because apart from using the WiFi HotSpot attack method, malicious hackers can set up websites with only this sign up method to steal account credentials.
Other precautions to take note of when connecting to WiFi networks:
1. Do not connect to open (unencrypted) WiFi networks. Your data could be sniffed (meaning your passwords can be stolen) as you browse the web on it.
2. If you find that your device is connecting to WiFi network names that are out of place, like your office WiFi when you are miles away, disconnect immediately. That is a WiFi hacker trying to steal your credentials. Because hackers know your mobile and computer devices will connect automatically to a previously used network with the same WiFi name.
3. If you are suddenly unable to connect to your home or office WiFi, check to see if there is another network with the same WiFi name as yours you are having problems with. If there is, then an evil twin WiFi attack may be going on.
6. Browser Hijacking (session timed out attack)
Did you know that someone could hack your Facebook account password with a very simple trick if they could hijack your browser?
The browser hijacking method is a form of phishing attack that uses a clever social Engineering trick to get victim’s passwords, after hooking their browsers – which is pretty easy to do.
How to hack Facebook accounts with browser hijacking?
As soon as the victim clicks this link, boom! Their browser is hooked and ready to take commands from the attacker. Just like that!
All that is left is for the attacker to send a command which displays a dialog box to the victim on their browser, informing them of a session time out on their Facebook account.
If the victim takes the bait and logs in with their credentials, they have just given the hacker their Facebook password.
Note: “Session timed out” is only but one of the numerous attacks that could be carried out on a victim browser after it’s been hooked. A malicious software update can also be forced on the victim, as well as a drive-by download attack.
How to prevent a browser hijack attack
The best way to prevent a browser hijacker from hacking your Facebook account password is to beef up your browser security using security browser extensions. This is all you need to foil such cyber hacking attempts from happening on your browser.
Secondly, whenever you get one of those “your session has expired, please log in again” dialog boxes, first enter a wrong set of credentials just to check if it is legitimate. (But you cannot and should not entirely rely on this method of checking though).
7. Facebook Hacking Software, Apps and Sites
Have you ever been in that position where you tried to hack into someone else’s Facebook account to see what they were up? Probably this was your spouse or child or a close friend?
After a quick Google search for a Facebook hacking tool, there you were with a website claiming they had a 100% working Facebook password cracking tool that works both online and offline.
You downloaded this “Facebook hacking app” on to your computer or mobile phone afterward and ran it. And interestingly, all this app or website (online version) needed was just the Facebook ID of the Victim. Hmm…
After providing the Facebook ID of your victim they take you through a very long survey. Or even worse threaten to report you to the victim you were targeting of your intentions if you didn’t pay up a certain amount.
In the end, you found out that this website or app is utterly useless and you uninstall. Don’t despair, we all have been there at some point (at least I have been 🙂
But is that all? I don’t think so…
You may have just gotten hacked by the same App or software that you thought could give you the Facebook password of someone else.
Facebook hacking apps will hack more than just your Facebook passwords?
As opposed to the other methods of hacking Facebook account passwords on this list, here you are the one that gets hacked. Kind of, the hunter becoming the hunted.
Even worse, there’s a huge possibility that you may have been infected with a computer malware (trojan) that is capable of stealing more than just your own Facebook passwords. But also, could steal every other password stored on your browsers and possibly have installed a keylogger on your computer to send all your future account passwords, banking details including credit card information to the attacker.
This kind of malicious software scams have been there almost since the beginning of the internet. And they have a very high success rate of working on victims.
In this case, it works on a victim because of their desperation to know what’s on another’s Facebook account.
Another huge reason this can be pulled on unsuspecting victims is because they do not know the implications of downloading untrusted executables on their computer systems.
All Facebook hacking software or websites are fake
Facebook Inc. is a multibillion-dollar establishment and a simple software or website created probably by an amateur cannot just give you access to someone else account with ONE click.
If that were possible, everybody’s Facebook account would be vulnerable to hacking and nobody will be willing to use the platform let alone create a business that solely relies on it.
Even if these websites were able to hack Facebook and give you someone else password, that loophole that made that possible would not see the light of day before it is blocked by the Facebook security team.
So in a nutshell…
Never trust Facebook hacking software, apps or websites. These are all fake and could be more than you bargained for.
In conclusion, you should be aware that “how to hack Facebook” is one of the most searched terms on the internet today.
Malicious people are constantly looking for new working methods to hack the Facebook accounts of others.
So if your Facebook account means anything to you, here are more ways to protect your Facebook account from hackers.
Have something to say about this post? Comment below or use one of the social buttons to share this post with your connections.