Facebook security problem (again)
Friday 29 April 2011 7.20pm HKT
Hackers are at it again, this time trying get password resets to your Facebook accounts. The last time this happened on a large scale was around March 2010. This time the exploit seems a little more sophisticated.
What’s taking place
Anytime now, you’ll be getting a Facebook email with subject line “Facebook Password Reset Confirmation” or “You requested a new Facebook password” or variations of them.
The email is FAKE, but the language and links look very legit. One version reads like below (only for your information, don’t click on the links below):
You recently asked to reset your Facebook password. To complete your request, please follow this link:
https://www.facebook.com/recover.php?n=pLePBJFsP&id=520163655&s=100
Alternately, you may go to https://www.facebook.com/recover.php and enter the following password reset code:
pLePBJFsP
Please note: for your protection, this email has been sent to all the email addresses associated with your Facebook account.
*Didn’t Request This Change?*
If you did not request a new password, let us know at:https://www.facebook.com/login/recover/disavow_reset_email.php?n=pLePBJFsP&id=520163655
Thanks,
The Facebook Team
It’s actually impossible to tell if the message is spoofed or if Facebook got ‘engineered’ into sending out a legitimate notification. Either way, the solution is to work only with Facebook Help Center at the Facebook site itself.
Workaround solution
- Don’t click on any link in that email.
- Don’t download any attachment that the email contains.
- Ignore and bin the email.
- Go to your Facebook account, change your login email, and change your password.
- Inform Facebook of the exploit and disavow the password reset using only Facebook’s own Help Center.
- Done!
The password reset exploit was last seen around March 2010. That time, the exploit was a straight fake email containing a downloadable keylogger or virus. But this time, Facebook itself might have been fooled into issuing legitimate notifications.
If your account still ends up getting hacked, reclaim your account by following the directions on this Facebook help page.
Be sure to let your friends know about the email scam so they don’t become victims as well.
Updated 11/11/2011:
Comments now closed for this post — because of spam. We do apologise for this.
© The Naked Listener’s Weblog, 2011. Updated 11/11/2011.
You get Facebook in Hongkong??? I am so jealous!!!!! But good info to know for next month!!! Thank-you!!!
I thought you knew! Sure, we have Facebook plus many, many others in Hong Kong, certainly more than some countries (e.g. USA) have access to. I mean, Hong Kong’s ONLY LEGALLY part of China, otherwise they’re two completely different “countries.” The fact that our Chief Executive (i.e. governor) is SIR Donald Tsang speaks volumes of the situation.
You know… I just thought about it. When Hongkong returns fully to China in a few years, do you think the PRC will have any say in blocking various sites and do you think Hongkong people will accept it? Strange thoughts in my head!!!!
Hmm, definitely a topic worth its own blogpost.
va bene
Abbastanza buono.
It is not my password that is messed up, it is my email address. For years I have the email address of poodlelover@_____.com Someone changed it to dogs.com