How Did My Facebook Get Hacked?

A reader recently e-mailed me with a detailed query about an apparent Facebook hack. She clicked a link on a familiar message board that launched a video. She was surprised to find that her Facebook photo appeared on the page with the video. She logged out and changed her Facebook password. Facebook support informed her that her account had been accessed from a location that's home to a person who has a grudge against her. Her question was, how could this person have hacked her account, and will her new Norton Internet Security 2011 software prevent future hacking.

Facebook-resident Malware
Unfortunately, there are many ways to lose control of your Facebook account. Simple clickjacking attacks can hijack your "Like" ability, driving up stats for specific pages. That's not so bad, but you can also get hit by innovative malware that resides totally on Facebook. With no software installed on your local system, there's nothing for your local antivirus to detect.

Symantec researchers demonstrated a reverse-engineered example for me; it was scary. As soon as their "victim" clicked on the link, their "attacker" had full access to the account. Don't worry; this all happened on a virtual system.

Social Engineering
Every time you take a quiz, install a Facebook game, or add any app, you get a screen specifying what permissions the app needs. These permissions can include almost anything up to and including accessing your Facebook account even when you're not logged in. If you don't read these carefully you can wind up giving away your personal information.

There's one more possible suspect; the video. Sometimes when you launch a video you get a notification that a new or updated codec is required before you can view the video. This might be true, but quite often the so-called codec is actually a Trojan. An antivirus should block this one.

Protect Yourself
Norton Safe Web for Facebook is bundled with the Norton security products, but anybody can use it for free. It scans your Facebook page's links and reports any bad ones. BitDefender SafeGo for Facebook rates your profile privacy and checks for dangerous links. If you're concerned about dangerous links (and you should be), installing one of these can definitely help.

Facebook keeps working on security internally, but they can't stop you from giving away your personal information in order play a game or take a quiz. A local antivirus won't prevent that mistake either. In the end it's up to you. Pay attention, and if an app asks for too much information just don't install it.

About Our Expert

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio