Friday, February 28, 2014

Lucia Facebook - when someone is using your email for their account

As a blogger, I maintain multiple email accounts. Some accounts I allow to "know" each other, and other accounts I like to keep separate. As a bit of a computer geek, this is just something I do automatically, so that if an account gets hijacked, the damage is limited to only those accounts in the circle of knowledge.

Most software subscriptions allow you to confirm that you are the actual email owner upon initial contact. If you do not confirm, then your email account is left alone. Not so Facebook. It seems to be irrelevant to Facebook whether or not the email given really belongs to the person trying to use it.

No, their "solution" to people accidentally or on purpose using other email accounts is to force their users to register all their email accounts to their Facebook account. From a data gathering point of view it certainly makes sense, except of course, if an email account is linked by someone who doesn't have access to it, then not so much. It seems that FaceBook is more interested in forcing their users to register all their email accounts than it is in keeping them secure.

This thread is full of people including myself, asking FaceBook to help them with their email accounts that have been used by other FaceBook users, shows that FaceBook is not really interested. The reply from the FaceBook person was just to add the email to the FaceBook account, even though doing so is impossible if it's already being used by another FaceBooker.

On another thread on the very same topic, the FaceBook person tells the disgruntled users that the signup process for FaceBook is not complete until the email sent as confirmation is verified.  However, a recent comment shows that what the Face Book Help Team person said is not true - that there is no way to get an email address back once another person has used it on FaceBook, whether it is confirmed or not.

I have just become interested in this whole thing again because one of my email accounts has had 30 or so emails sent to it from FaceBook (in Portugese) on behalf of a person who has used it as their main email address.  They have also easily added numerous friends and posted a number of updates without ever having to confirm their email address, the email which I still have in my Inbox as proof that the confirmation email from FaceBook does absolutely nothing in preventing email hijacking.

I was at first very frustrated, and after reading the original thread of annoyed FaceBook users, I came across a person suggesting that you search for your email account on FaceBook and report the user.  So I searched and I found the offending person, and sent them a message.  I didn't know you could search for people by their email account on FaceBook.

Anyway, I then realised I had their email account and what that meant - that I had the entry key into their  Facebook user account. All I had to do was tell FaceBook through the log in screen that I had forgotten my password for that account, and I would get the reset password email sent to me.  Once I had it, I could change the password and log on. I don't know why this didn't occur to me before - I suppose I just don't think like a hacker.



At first I thought I should warn them that I was about to do this (to be fair), and after sending them a message, thought about it some more and decided that if they added a phone number to their account in response to make the account more secure then I'd be stuffed.  So I did it.

I used the Forgotten password option on the main screen using the stolen email address and confirmed that I wanted the password reset.  A reset password email sent to me (in Portuguese).  I used this email to go back to FaceBook to change the password.  Then I logged into the account with the intention of removing my email address as their contact email, having to use Google Translate to help me navigate FaceBook because everything was in Portuguese.  It was very disorienting. Once I got to the account page, I was able to change the language to English, which made working with the account much easier.

Originally, I was just going to remove my email address from the account and then just leave them to recover it, if they could.  However, my email address was the primary contact - there was no other email address to change the account over to.  In the end I just deactivated the account, and left a message for FaceBook as to why I was doing it.  Because they ask, you see.  They want to know why people leave.  They have all these options for why, but if you click the "other" option, you can then leave them a message.

Anyway, I now have a plan for dealing with this person or people who like using my email address to set up their FaceBook account. 

Be warned, everyone out there - your email could get hijacked by someone who needs an email address for FaceBook.  Even if that email is never confirmed in any way, FaceBook ignores lack of confirmation and lets the person keep your email on their account and you get all the emails from all their activity.

Thank goodness for the FaceBook reset password, a fantastic back door for recovering an email account!

0 comment(s):

Post a Comment

Please be respectful. Foul language and personal attacks may get your comment deleted without warning. Contact us if your comment doesn't appear - the spam filter may have grabbed it.