Imgur

Imagine if there was a number a thief could call, and, by answering just a few questions, receive a key to your home. No breaking and entering necessary—just a call to customer support and couple of deceptive answers to bad security questions. .

That is, essentially, how a hacker gained access to 23-year-old Aaron Thompson's Facebook account. On Monday, Thompson found that he couldn’t log into his Facebook account and that the email address and phone numbers associated with it had been changed. It turned out that a clever hacker had posed as Thompson to convince an unwitting customer support person to hand over the keys to Thompson's digital domicile. No hacking necessary.

Advertisement

In Thompson's email inbox, he found a record of the hacker's entire conversation with customer support (which he posted to Imgur).

“Hi. I don’t have anymore access on my mobile phone number. Kindly turn off code generator and login approval from my account. Thanks,” the hacker, posing as Thompson, wrote.

An automated response from Facebook told Thompson's poser to send a photo or scan of his ID to confirm he owned the account. The hacker sent Facebook a "scan" of a fake passport, along with instructions to "turn of login approval and code generator for my account and provide me unlock code."

Advertisement

Facebook obliged, giving full access to Thompson's account with nothing more than four back-and-forth emails and a faked ID.

A distressed Thompson posted about the incident on Reddit.

"The hacker also sent my fiance a picture of his genitals, at this point it's blatant harassment," he wrote.

He wrote to Facebook, telling them he had been hacked, that he was locked out of his account and that he had lost access to all of his business Facebook pages. Though the hacker had swiftly gained access to his account, Thompson told Motherboard he was unable to get back in for an entire day.

@facebook I know this is a stretch but could someone email me at nekochanfbg@gmail.com to help with this please? https://t.co/fQEm9Fgqth

— Yhu (@yhuthere) June 28, 2016

Facebook told Motherboard that “accepting this ID was a mistake." (Thompson, it turns out, does not even own a passport,)

Finally, today, Thompson was able to get back in.

I have the hacked account back @facebook has been very helpful, I haven't gotten all of the business pages back yet, but they are working

— Yhu (@yhuthere) June 28, 2016

This story has a happy ending, but it's a good reminder that even two-factor authentication can't protect against a determined hacker and the fallibility of human judgment by customer support agents.

Advertisement