In yesterday’s blog, we walked you through the things you should consider if you’re aware that your social media accounts have been broken into. There, we provided general actionable advice that you should consider when your accounts on any social media platform are at risk; however, as attacks targeting social media platforms are on the rise, we feel the need to focus on one specific platform – today, we’re walking you through the steps of recovering a hacked Facebook account.

Preface

Before recovering any account, there are several things that you should consider:

1. When was the last time you’ve used the account (i.e. when was the last time you’ve logged in?)
2. When did you understand that the account is breached? What steps did you complete in the moment leading up to the revelation?
3. To the best of your knowledge, were there any chances that the password of the account was also used to log in to any other website, service, or application? If yes, could you remember the date when you’ve used the password (approximately – the exact date is not necessary?)
4. Was the account protected by two-factor authentication or any kind of other measure?
5. Did you follow basic information security hygiene when using the account (i.e. did you use a strong password, didn’t share too much information, only “Friended” people who you actually know, etc.)?

An answer to these questions will determine the steps you should take next. Here’s how it works:

1. By remembering the last time you used the account, you will be able to remember the events that have occurred once you were last active. Did you click on a link in a message? Did you chat with a random stranger in Messenger message requests? Did any random people add you to their list of friends? Did you accept their requests?
2. Remembering the time that you’ve understood that the account is at risk will help you remember the things you’ve done in the moments preceding the incident.
3. This one is especially important – as hackers are more often than not working with credential stuffing more than actual hacking when breaching social media accounts, remembering the service to which you could have provided your password is of utmost importance because then you could simply check the lists of breached websites on services like BreachDirectory – if the service has gotten hit by a data breach in the past, there’s your problem: the hacker most likely re-used the password that you’ve used there to access your Facebook account.
4. If the account was protected by 2FA and (or) other cybersecurity measures furthering its authentication security and still got breached, think about the last devices used to log in to the account – did you use your laptop in a cafe and left it unattended while you used the toilet or ordered coffee? Did you log in using a phone? Contrary to popular belief, most attacks involving two-factor authentication do not bypass the authentication itself (it’s a possibility, but an unlikely one), but rather use the “soft” – human – factor to gain access.
5. If you didn’t follow any basic security hygiene, you’ve might have gotten breached – or, as they say in hacker circles, “looked up” (referring to lookups of breached data to find a re-used password) too. Did you chat with anyone outside of your social bubble? Did you provide the person with any critical, sensitive information? If you clicked on a link, what was the conversation about once the link was sent?

Once you have answered at least a part of those questions, it’s time to get to work.

Dealing with the Incident

The first step in actually recovering the account is to, once again, evaluate your options. Do you still have access to the email that is associated with the account? If so, just reset the password. If not, contact Facebook support and they should be able to help. While your account is being recovered, please check on all other accounts that could’ve used the same password – a breach of them is possible as well.

Once your account is recovered, log in and check on the following:

1. The location that was last used to log in to your account during the last couple of days (and, ideally, the days leading up to the incident.)
2. Was two-factor authentication on? Off? If it was turned off, do you remember doing it? Turn it back on.
3. Was your password reset? Check your email for the “password reset information” email and look at the date – that’s the date the breach is most likely to have occurred.
4. Your timeline – was anything posted by the attacker? The most likely incident in this case would be “oh, something really bad happened, please help me, PM for the details of how you could support me and my family in this terrible situation”, etc.
5. Read and unread messages – do you see any suspicious messages that have been sent recently? Have you been added or removed from any group chats? What was your activity there? Contrary to popular belief, messages – and not the timeline – are what’s “popping” once an attacker gains access to a specific account. Some attackers try to ask for money from your friends, some ask for information on you (while pretending to be you) and use social engineering skills, etc. If necessary, contact the people that the attackers have messaged and explain the situation.

Finally, scan your computer for malware, spyware, and other malicious stuff – also, check on your browser (check your browser extensions.) If any extension is not a necessity, remove it. During this process anti-malware scanners are incredibly helpful – let them clean your PC, then restart it, check on any kind of suspicious programs that are supposed to run upon the boot of your PC (check the configuration settings of msconfig if you’re using Windows), and once you’re sure your computer is clean, reset the password. The main reason for doing this is to avoid the hacker “comeback” – if anything infected resides on your PC and the breach was a direct result of the infected software, the hacker could still access your Facebook account even after a reset – in that way you would only be solving the “upper part” of the issue without thinking about what’s going on underwater, so to say.

Once your password is reset, two-factor authentication is in place, the people around you are informed of possible malicious activity in the past, and your PC is safe, make sure to familiarize yourself with the security measures surrounding your Facebook account – you can rest assured that Facebook provides stringent security measures that are in place to protect your account no matter what happens. Once that’s done, it’s time to further protect yourself on the web. Using data breach search engines like the one provided by BreachDirectory is usually a great start if you want to protect yourself and your loved ones – the information provided by the data breach search engine will help you identify the following:

1. What account of yours and as a result of what attack could have fallen in the hands of hackers?
2. When did the breach occur?
3. What happened to make the breach possible? (After all, reading up on analysis about data breaches that have happened in the past is a great way to advance your security knowledge.) Even very famous websites aren’t exempt from scandals surrounding them and data leaks – in this day and age, you never know what might happen next and so educating yourself on what happened in the past might help prevent threats in the future.

The BreachDirectory API on the other hand is helping companies, universities, and individuals assess their exposure in data breaches – by providing an email address, username, IP address, or domain that’s to be checked against the database, companies gain insight into the likelihood of a data breach. The BreachDirectory API is also able to be queried in bulk: BreachDirectory also provides the ability to check a set of accounts for their exposure in a data breach.

Both the BreachDirectory data breach search engine and the BreachDirectory API could be incredibly helpful in preventing a breach of your Facebook account in the future. Did you already use them?

Summary

Recovering and securing a Facebook account that has been hacked in the past isn’t the easiest of tasks – however, keeping in mind the professional security team behind Facebook, all you need to do is reset your password, then follow basic security hygiene and know a couple of additional security measures – then you will be good to go! We hope you’ve enjoyed reading this blog, and we’ll see you in the next one – in the mean time, make sure to familiarize yourself with the features offered by the BreachDirectory API to protect your team and loved ones, and until next time!