Facebook security problem (again)
Friday 29 April 2011, 7.20pm HKT
Hackers are at it again, this time trying get password resets to your Facebook accounts. The last time this happened on a large scale was around March 2010. This time the exploit seems a little more sophisticated.
What’s taking place
Anytime now, you’ll be getting a Facebook email with subject line “Facebook Password Reset Confirmation” or “You requested a new Facebook password” or variations of them.
The email is FAKE, but the language and links look very legit. One version reads like below (only for your information, don’t click on the links below):
You recently asked to reset your Facebook password. To complete your request, please follow this link:
Alternately, you may go to https://www.facebook.com/recover.php and enter the following password reset code:
Please note: for your protection, this email has been sent to all the email addresses associated with your Facebook account.
*Didn’t Request This Change?*
If you did not request a new password, let us know at:
The Facebook Team
It’s actually impossible to tell if the message is spoofed or if Facebook got ‘engineered’ into sending out a legitimate notification. Either way, the solution is to work only with Facebook Help Center at the Facebook site itself.
- Don’t click on any link in that email.
- Don’t download any attachment that the email contains.
- Ignore and bin the email.
- Go to your Facebook account, change your login email, and change your password.
- Inform Facebook of the exploit and disavow the password reset using only Facebook’s own Help Center.
The password reset exploit was last seen around March 2010. That time, the exploit was a straight fake email containing a downloadable keylogger or virus. But this time, Facebook itself might have been fooled into issuing legitimate notifications.
If your account still ends up getting hacked, reclaim your account by following the directions on this Facebook help page.
Be sure to let your friends know about the email scam so they don’t become victims as well.
Comments now closed for this post — because of spam. We do apologise for this.
© The Naked Listener’s Weblog, 2011. Updated 11/11/2011.