Facebook accounts could be hacked without ever needing a password

A Facebook logo on an Ipad is reflected among source code on the LCD screen of a computer, in this photo illustration taken in Sarajevo June 18, 2014. PHOTO: REUTERS

We all know how easily your Facebook account’s security can be comprised if your passwords get saved on a public computer.

However, there’s another way hackers can get a hold of your account without you even noticing. James Martindale, 18, plugged in his T-Mobile SIM card and received a text from Facebook stating that he hadn’t logged into his account for a while despite not synchronising the new number to his Facebook account.

When he searched for an existing account with the new number sim card, Martindale found an account on Facebook. To try to access the account, Martindale pressed the password recovery key which gave him the option of texting a recovery code to the registered number to gain access.

In the end, Martindale could access an account previously associated with the number without needing a password. Now, that can be a serious cause of concern for general everyday users.

What’s more, Facebook also gave him the option to change the password in what the social media giant thought is a protective measure to prevent what already was happening. This would have locked the real user out of their account, or to make matters worse, meant he would never have known his account had been hacked.

“This can be game over for your account,” he wrote.

The problem stems from the fact that Facebook allows you to link multiple phone numbers to your account, and doesn’t force you to remove old ones once you’ve stopped using them.

Martindale says he reported the issue to Facebook three months ago, which acknowledged it was a ‘concern’ but hasn’t yet done anything about it.

“There are situations where phone numbers expire and are made available to someone other than the original owner,” Facebook responded. “For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset. If that number is still associated with a user’s Facebook account, the person who now has that number could then take over the account.

“While this is a concern, this isn’t considered a bug for the bug bounty program. Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.”

The solution to this is quite obvious. You should immediately unlink any old numbers and email addresses from your account, by visiting settings and enable two-factor authentication along with enabling alerts about unrecognised logins.