I had a friend get hacked on Facebook the other day and I started thinking. Man that would be pretty rough.
How does one prevent getting hacked? A tough password? Not installing apps you don’t trust? How do you know if you should trust them if you have never used it?
Likely even that isn’t enough these days…
I came across Firesheep a simple download that looks braindead easy to use that scans the WiFi to see who has logged on to twitter, facebook, and a hole lot more. Since you don’t even use SSL it is cake to hack. It does look very easy. This walk through facebook hack youtube video looks pretty simple and scary easy as well. Hackers try to stay one step ahead of security.
I did have my yahoo email hacked a couple of years ago, and at the time I figured it was some brute force method, but now realize it had to have been a terminal I was logged in on or WiFi hotspot. With mobile devices in an airport I can only imagine how easy it would be to collect all sorts of accounts using a WiFi method.
First, if you haven’t been hacked or have been in the past, now is the time to take a more secure approach toward some of your social habits.
While I suggest it would be quite easy to hack any of your social media accounts. I suggest some methods to make it more difficult.
1. Strong Passwords – Brute force methods would use a dictionary. This is becoming a less likely method to use, but if someone is looking over your shoulder this will help and other similar cases. A strong password can make it easier to guess. A strong password uses a combination of letters mixed with upper and lowercase, numbers, and symbols and is longer than 8 characters. Ensure the privacy settings on your account are appropriate and unique challenging security question is setup (only something you know) for if you get locked out.
2. Unique passwords – It’s very tempting to use the same password for all your social networks. Even the best of us fall into this trap for simplicity. Don’t do it. If you’re like me you like to try out new apps and some will make you create a username and password or even using open auth, but giving rights to the apps will allow it to interact with your network. What a hacker likely wants is the email address of your friends at least, and at most wants to push a link to all your friends and push data to their walls and propegate spam or the junk you get in your email. I remember a couple years ago when people would pose as you and ask your friends for money by coming up with some sad story. Scary stuff. By the way… I will NEVER ask you for money via my facebook wall or on twitter. Never Ever. 🙂
3. Rest your password on a regular basis – Hackers that compromise your account and lay low can plan to use your profile for later. If you reset your password you’re locking them back out. As well, resetting your password is like a refresh or reboot. It’s a good thing to do as it will actually cut off any open auth social apps you’ve previously granted or those that the hacker setup. It will essentially force you to do a little house keeping or spring cleaning.
4. Avoid logging into facebook and twitter or your web based mail on terminals – This is tough. If you can’t avoid it, make sure you reset your password next time you’re on your machine. Gmail will show you last login time. As well I know some people that are watching their activity feeds every few mintues, but what you’ll miss is your own activities. You most often are really only watching your friends activities. Facebook has added some face detection stuff to make sure you are who you think you are. If you get this prompt you should reset your password after you validate, cause this means the facebook team thinks you may have been compromised or have reason to believe you have.
5. Apps – It’s amazing the hundreds, no thousands of apps out there that do stupid things. How easy is it to build an app that would authorize the ability to send messages to friends and to write on your friends walls and even edit your profile? I saw a hacked friends profile the other day that showed 0 friends, and blanked out the entire profile after it got everything it wanted. The app then spammed all their friends about buying jewelery. Bad news. The answer is… it’s fairly easy to create that app and even worse it’s very easy to propegate. Hey my friends trust it. Why shouldn’t I? At a minimum if you don’t really "get" the purpose of the app, don’t install it. As well you shouldn’t install any apps you don’t trust, but it’s that the fun of facebook? Installing apps that show you funny things or quizzes or tell you how you look like Dr. Spock. The key to keeping twitter clean is resetting your password and making sure various Oauth to apps (open authentication to apps using your account) are also clean.
So you got hacked. Now what?
1. Reset your password – First thing before anything else is to reset your password. This will stop any further propegating. It will lock out the hacker. If you got locked out of your account you can follow the steps on requesting your password.
reset your password by selecting the "Forgot" link that appears above the Password field on the Login page.
You can reset your password by logging in, clicking account in the top right corner which will give you a drop down menu. Choose account settings then click "change" next to password on the settings page.
Facebook Help Center simplifies a hack with a single step approach to "Security: Account Compromised" as to what to do:
"If you believe your account has been taken over by another person, the easiest way to secure your account is to reset your password. You can do this by selecting the "Forgot your password?" link that appears below the Password field on the Facebook login page. An email will be sent to you with steps for completing the process.
If this does not resolve your issue or your email address has also been compromised, please click here to submit your report."
Facebook Help Center Reporting of the incident and getting back into your profile can be simplified into two different types of hacks and the second itself is harder to fix.
"If the login email address that you normally use to log in to your Facebook account is still associated with your account, click here.
If the login email address listed on your Facebook account has been removed by the another person (i.e., someone has replaced your login email address with one that you do not control), click here."
There are more steps on: How to Fix a Hacked Facebook Account on eHow.com
The "forgot" link is on the login page and should help you if you get locked out.
2. Update your status – Let your friends know that you had your account hacked and not to click any links or install any apps you might have sent when you got hacked.
3. Remove recent and suspect apps – Facebook doesn’t really want you to remove apps since that’s what keeps people using facebook. So it’s kind of tricky to find the place. Mostly likely the suspect app would be the one that was most recent, but I’d recommend a good scrubbing. You should also remove any posts on your wall or tweet to the app that caused your problems in the first place.
4. Clean up your privacy settings – Walking through your privacy settings and cleaning that up will also make it more difficult to continue to take advantage of your account. It’s possible that when hacked the hijacker messed with your privacy settings not just on apps, but on how far the messages go. So you should likely get really conservative as you make your way back into the community. Locking it down is a great way to position it in the beginning and opening it back up as you move along. Conservative means turning off everyone and friends of friends and moving to friends only.
5. Block lists – There’s a not so well known feature where you can block people and applications. I’m a big fan of using this to reduce noise. I also find this the key to not only people you may suspect were recent friends that may have used you to get to your account or knowingly sent you a trojan app but the blocked applications list is the best. It keeps you from getting notifications, invitations, and keep you from accidentally installing it… hopefully.
The facebook help center is designed to help you know what to do if your account was phished or hacked.
If your account or your friend’s account was compromised you can contact
Good luck. As the security improves hopefully this gets better. The best position to be in is cautious. Never assume, they there are millions of people on facebook or twitter, this could never happen to me.