How much safe am I on Facebook?

I recently became interested in internet protection and security. I have few questions though.

Can hacker randomly attack someone on Facebook, perhaps only because the victim has a weaker password (eg a short word and 1 symbol), even if he doesn't even know the victim?

Could they perhabs try to log into some random account and click on forgot my password and mobile number and somehow "recover" the account only with the help of a password?

Is it necessary to send an email (phishing) before or can they just hack the facebook itself?

Does a hacker have to know his victim or can he just break into random accounts?

Comments

  • UkkoUkko Posts: 2,995 Superuser
    edited May 12

    Hello,

    Sorry for my reply. I am only an F-Secure user (their home solutions). So, just kind of a discussion.

    Can hacker randomly attack someone on Facebook, perhaps only because the victim has a weaker password (eg a short word and 1 symbol), even if he doesn't even know the victim?

    Yes, very likely. Maybe even such a background is most often situation. Whereas targeted attacks are more hidden and with a lot of fantasy around tricks - can be done by 'friends' as a joke or by competitors / rivals as a 'treat'. Targeted attack is an almost 'detective' crime adventure.

    But accounts with weak password or leaked password can be compromised pretty quickly. So there are indeed can be random attacks against random victims. Someone (sometimes can be called 'hacker') can to initiate automated attacks against 'any' (all) account / emails / phones or so on. Or can to use leaked data about users and to reuse (attempt to reuse it). It is can be automated and done by "bots" or by specific "tools" or even manually. Then compromised ('unknown' victim for attacker) account can be used for some further tricks (to use hidden information, to use their friends or contacts, to use it for 'botnet' and other threats). So, my own opinion - there is no "who needs my account?". For some strange people - not need any reason for hack/steal account. Partly because it can be done automatically (by automated processes with further reuse received opportunity). Also web resources can be with own vulnerabilities. As a result, accounts or data can be breached or leaked, or unexpectedly used.

    BUT perhaps social media resources (and other large websites) with some strict requirements. And too much weak password is not possible to use.  However, good to use as strong password as possible. In addition, attack should to know some entry point. So, good to limit any information that is published online (if other layers are not so secure and strong). Anyway, most of large websites with internal mechanisms against automated attacks and suspicious attempts to use account. And, usually, they launch bug bounty programs and other ways to increase their own security (and users' security as a result) - so, in general, too much random hacked account is less likely on current day. But if password is weak really - just matter of time when something start be wrong.

    Could they perhabs try to log into some random account and click on forgot my password and mobile number and somehow "recover" the account only with the help of a password?

    I did not understand the conclusion of "only with the help of a password". Since if password is known and, for example, 2FA or two step verification is not using - then password is enough to such a task.

    However, just to use 'password recovery' functionality should not be enough. By the way, I can not to restore access to my own (freshly) created account on Google. Since I forgot(?) password - but all information is somewhat known for me - however was not enough to ensure Google auto process.

    With enough information about victim or trying to contact support (phish them) - likely situation. But large companies are ready for that. So, it should not be too much easy.

    Some years before - it was quite common situation to use 'restore' access to account by answer to the secret (one) question. So it was something that is trouble on your sentence. But on current days - situation is much better.

    Again if security design of recovery functionality is good. If there are no any vulnerabilities around this flow. If it is not possible to trick process by psychical access to mobile phone or victim's devices.

    Is it necessary to send an email (phishing) before or can they just hack the facebook itself?

    I think depends on certain situation - can be different ways. But, perhaps, spam and rogue letters (phishing) are still too much 'easy' way and too much powerful. What about "hack the facebook itself" - if it is possible - not need to send an email. From victim - attacker want to know (probably) password, critical PII, remote access to his system. If such things are not needed for the trick - so not need to 'contact' user.

    Does a hacker have to know his victim or can he just break into random accounts?

    I think both. Attacker can just break into random accounts. For his (they) 'fun' or profit.

    Or as I wrote before - by automated processes (no a reason - just a random result).

    However, if to call professional attacker as "hacker" - then he have to know his victim. And if attacker want to do some manual work (victim is a potentially important target) - then he have to know his victim for successful targeted attack.

    By the way, F-Secure website with some useful pages about some points:

    where you could check whether your email is leaked somewhere or not. some services even can be about leaked passwords data and so on. however, need to use only really trusted for you. Since to provide your email to any online checker is a quite tricky thing.

    to check how much information are 'public' about you.

    Sorry for my long reply. And sorry for my English.

    If there can be continuation of discussion - I can a bit explain most of 'unclear' meanings of my words.

    Thanks!

    Jaims
  • sewi4sewi4 Posts: 4

    Hi, thanks for answering

    I also wonder, if these  automated processes can also find email or mobile number or the hacker has to find it out on their own?

    Can he perhabs get access to some database of all registered emails?

     ,

  • UkkoUkko Posts: 2,995 Superuser

    Hello,

    automated processes can also find email or mobile number or the hacker has to find it out on their own?

    Not really 'to find'. But, perhaps, 'to generate' or 'to compose' such a list. Because email is only "words" and mobile number is only "numbers" with certain requirements for its look.  So, it can be completely random. However, even if someone with such a list - then he should to ensure which ones are really 'active' and 'exist'. For example, he can to try send spam letter or to call. If there is an answer - then email or number is 'valid'. Such a task can be automated too.

    Can he perhabs get access to some database of all registered emails?

    I am not sure that it is really possible. Just because 'all registered emails' means critical data of each email service providers and 'own' (users) hosted email servers. I think database with all registered emails, for example, of Google Mail should be protected against unauthorized access to it.

    BUT there are a lot of leaked databases from different services, websites, (email providers too), forums and so on. Also just generated lists of email addresses (with inclusions of these emails which can not be used or valid at all).

    So, most likely, someone will try to use this opportunity and use already 'existed' databases of known emails. It is pretty much data, actually.

    But, again, to known only email address is not enough to hack it. Because, for example, if 'criminal actor' know psychical address of Bank (and the place where the 'money' is actually stored) - it does not mean that it is easy to make a crime against bank.

    Thanks!

  • sewi4sewi4 Posts: 4
    edited May 18

    Okay, so if i understand it correctly, if i have a weaker password, hacker can easilly randomly hack my account by these automated processes without even knowing my email, mobile number or anything? Can it also be done secrety, that i wont find out, that somebody was attempting to hack my account?

  • UkkoUkko Posts: 2,995 Superuser

    Hello,

    Okay, so if i understand it correctly, if i have a weaker password, hacker can easilly randomly hack my account by these automated processes without even knowing my email, mobile number or anything?

    So, actually - no. Or I have to create some remarks:

    • if user with a too weak password (for example, "123456"). Or, for example, password is leaked or hardcoded under hardware/software (what can be with admin panel of routers, as example) and it is known one password for attacker;
    • then attacker can to attack user even if he is not knowing him well or anything about him.
    • attacker could try to 'brute force' not only password for known email. But also username or email or mobile number - for example, if it is known that the password is used in one of the accounts in this service. It can be completely automated processes, crawling around. Or trying each email (that he could imagine) / password pair.

    However, it is not so likely situation. Most of web services (large ones) with own protection against such threats. Web services backend/frontend/anything may suspect something strange and to prevent attempts to perform harm.

    But if more information is known for an attacker - then it is likely situation. But again, remarks:

    • there is a "web service" where user has an account (email / password).
    • if user with a weak password and password is known for an attacker - then, of course, it is not enough for automated process to hack account. Because 'email' is an important part of login process. And knowing only the password is not really somewhat helpful for attacker. Thus, automated processes should to find 'email' or to use already known all required information (that can be gathered from other automated processes or manual work; or from leaked databases or other sort of source).

    If user, in addition, with 2FA (or two step verification) - where mobile phone involved - then knowing email/password is not always enough for trouble. Because, then SMS or anything like that is required. Actually, hacker could try to bypass this layer too. In principal, it is possible by some ways. But sounds more as a target attack against user. If so - target attacks can be successful even with good security design (but it is not so likely as with bad security design. and user anyway should care about security).

    So, hack can easily and randomly hack "account" by some way with using some information - but it is not pinned to someone directly. It is can be leaked pair of email/password for service and not used additional security patterns by user (2FA). Or vulnerability on service and unexpected access to account or something like this.

    Sorry for my English and not clear explanation of my opinion.

    Thanks!

  • sewi4sewi4 Posts: 4

    Hi, I also wanted to ask if the hacker could break into FB account by an accident, I mean rewriting something in text or mistakenly alter an email, when he was trying to hack someone else's account

  • UkkoUkko Posts: 2,995 Superuser

    Hello,

    In general, trouble can happen by accident. However, bearing in mind your described method - it is doubtful.

    Since some clarifications are needed:

    - "break into FB account" is accessing someone else's account?

    If so, such trouble can be if:

    • required credentials are known for attacker. For example, email/password pair. Then goes be some mitigations: if account with configured additional security options - then attacker should bypass it OR to have access to required stuff. For example, mobile phone (physically or with an ability to workaround it - duplicate of SIM-card/SMS catching or something else) - if 2FA/Two-Step Verification is there. If there is something as psychical token in use - then it is already stronger security design for user. And so on (IP limitations, own website protection logic against fraud).
    • attacker can to use user's device psychically. Or remotely via malicious software on user's system.
    • website with vulnerabilities which can be exploiting in such a way that attacker can to get access into someone's account.

    So, basically all things are pretty tricky to do when discussing large website and potentially well-protected user's data by his own.

    Attacker can try to use rogue/scam ways ('social engineering'). For example, 'phishing'. As try to 'receive' data directly (fake forms/fake requests). Or just to load a malware.

    So, do not use untrusted/unprotected networks (public Wi-Fi) via not encrypted connection is not recommended. To open suspicious letters is not recommended too, and especially to run/launch/open strange attached files. To visit unknown/untrusted or harmful-rated websites is dangerously. In addition, passwords should be really strong and unique. Stored securely even locally. And many other general tips.

     I mean rewriting something in text or mistakenly alter an email, when he was trying to hack someone else's account

    I am not sure. Could you explain this sentence a bit more? Did you mean if attacker trying to guess password for someone else's account, but instead he found a password for another account?

    Completely random hack accident or mistakenly 'break' can be, I think, only if website with internal broken design / vulnerability with such impact. Otherwise, it can not be completely random. So, attacked should be with something about account and way to hack it and not another one.

    But, basically, attacker can to try 'break' many accounts at once - he did not have any reason, any 'knowledge' for each one. With such wording - it can be accidently. Since accounts with weak passwords (and no any other security layers / options) can be hacked easily than others.

    And one form of 'attack' against them is:

    • list of emails.
    • list of 'generated' passwords.
    • check each one possible pair.

    so, it can be long process and a lot of time if password is good enough. If not - some minutes/seconds/hours. I think this topic is discussed somewhere, even on Facebook pages with their recommendations about security.

    Sorry for my potentially misleading and confusing words / sentences!

    Thanks!

  • johnjonyjohnjony Posts: 1 New Member

    In Facebook App, you can check the time duration of your Online Activity on Facebook. However, there is no such thing on Desktop.

  • Carols34Carols34 Posts: 1

    I was always sure Facebook is one of the most vulnerable social network. I like how they block normal people' accounts every day, but at the same time there are so many cases of online crimes there.

  • MarkKalskiMarkKalski Posts: 2 New Member

    Facebook don't look vulnerable for me. I think people make mistakes those hackers don't forgive, that's why there are so many scam online.

  • MarthaPMarthaP Posts: 6 New Member

    I don't consider Facebook neither vulnerable nor secure. It's just like any other site on the internet. You have to understand what information you share and where you share it, and especially do not click links unless you are 100% about it.

  • johnmarkosjohnmarkos Posts: 1 New Member

    No one safe on internet.

  • JamesMillerJamesMiller Posts: 3 New Member

    There are numerous ways to steal your data not only on FB.

    Phishing emails can steal your confidential information like passwords and bank account details. This kind of emails are usually come from a well-known person or organisation like your bank or company that you work for. It could be some urgent information that your card has been disabled and you need to reactivate it.

    Malware (viruses/spyware/Trojans) can also steel available data and track your activities.

    Even some malicious mobile apps can put your privacy at risk. It usually includes account access to your contact list, microphone access, device admin permission.

    Just try to avoid insecure network and apps, and don't say your personal info to everyone.


    Hope it was helpful.

    Regards, James

Sign In or Register to comment.