How I Took Over A Random Person’s Facebook Account In Less Than Two Minutes.

This is a quick narrative of how I took over a random stranger’s Facebook account in less than a couple of minutes.

It started with a strange SMS I received, addressing me as Bob (Made-up name). Instinctively I looked up my number on

Wow. That was interesting, because that was definitely not me!

Okay, so my phone number belonged to someone else, before it got recycled for me. I recalled Facebook allowed people to login using their phone numbers. I tried logging into Facebook using the number and…..as I did expect:

Well, that was quick. You could guess how it ended up after this.

I clicked “Recover Your Account” and within a matter of seconds an OTP to change the password dropped into my SMS Inbox. I did login into that person’s account to confirm if it really worked, and yeah it worked. I was Bob now!

Luckily (or rather unluckily), the account was an abandoned account. I quickly wrote to Facebook about the hole and got a banana in return.

TLDR: Facebook says “It is not our fault and is not really a big deal(for us)”

Well, there is definitely things that Facebook could do. Tell your users what phone numbers are linked to their account. Tell them every day. For every login. Show it somewhere. Bug them till they get fed up. Sacrifice that mild annoyance for security.

Lesson:

NEVER NEVER NEVER leave your old phone numbers linked to any of your online accounts. Do it right now. Log into all your services and clear your old numbers. I did it and was quite surprised at how many unused numbers I had linked with my accounts.