Cases of 'hackers breaking through Facebook's two-step verification' are reported, advertisements are also posted with victim's payment information



Facebook accounts are used by many individual users and businesses, and while they are no longer an integral part of our lives, they are also more damaging when accounts are hacked. Independent game developer Todd Mitchell reports a new case where a hacker broke Facebook's two-step verification.

A Facebook hacker beat my 2FA, bricked my Oculus Quest, and hit the company credit card – CodeWritePlay

https://codewriteplay.com/2021/08/20/a-facebook-hacker-beat-my-2fa-bricked-my-oculus-quest-and-hit-the-company-credit-card/

Mitchell's Facebook account changed at around 3:30 pm local time on August 19, 2021. Of course Mitchell was asleep, but at this time Facebook sent a message saying 'Your Facebook account is disabled because your account or its activities do not comply with community standards.' He said he came.

It was Mitchell's wife, not himself, who first noticed the change in Mitchell's Facebook account. My wife, who worked remotely overnight, noticed a Facebook notification that Mitchell had changed her profile picture and asked in a text, 'Are you okay?', But Mitchell is sleeping. Did not notice the message until he woke up.

Mitchell, who woke up shortly before 5 o'clock, was confused by the email from Facebook and the text from his wife, but did not understand how serious the consequences would be. Mitchell decided to follow Facebook's steps to challenge account invalidation and uploaded a photo of a government-issued ID card. At that time, Mitchell said he was thinking about protecting his account because he thought the objection would be easily accepted.

However, just 18 minutes after Mitchell's complaint, Facebook sent me an email denying the complaint. 'The account has been disabled .... This decision has already been confirmed and is irreversible. Please see the community standards for more information on why you want to disable your account,' the email said. It was written. Since the disabled account can only use the help link to file a complaint, Mitchell's actions have been exhausted in an instant.



The lack of a contact point on Facebook has plagued many users, and account invalidation due to hijacking can be very damaging. Some people use the trick of 'buying a VR headset' Oculus Quest 2 'for $ 299 and recovering your Facebook account through Oculus customer support' to recover your Facebook account. There is also.

What is the trick to get manned support on Facebook where there is no contact point? --GIGAZINE



Mr. Mitchell also has the 'Oculus Quest 1' purchased in 2019, and he also registered with Oculus as a game developer and created content for patrons with Unity for a short period of time. Mitchell, who hated losing the Oculus library associated with his account due to Facebook account hijacking, launched Oculus Quest, but as he was afraid, he could not log in to Oculus due to a Facebook account problem. That thing.

The message from Oculus is, 'The Facebook account linked to your Oculus device has been suspended because your Facebook account or its activities are not compliant with community standards,' similar to Facebook. It was presumed that you referred to the review process of.



After confirming so far, Mr. Mitchell's sons got up and decided to play disc golf in the park in the morning as promised before. Mitchell said he didn't want to ruin his son's day with Facebook account issues.

At 11:30 am when Mitchell was playing in the park, his wife sent a message, 'Did you buy something on Facebook?' Indeed, Mitchell advertised his website and podcasts through a business Facebook page called CodeWritePlay, which he manages with his Facebook account. However, Facebook charges the advertising fee 'when the unpaid advertising fee reaches $ 25 (about 2750 yen) ', and Mr. Mitchell who has spent only $ 10 (about 1100 yen) in the past few months I didn't remember.

However, after returning home, Mitchell tried to protest Facebook because he was actually charged $ 25. However, Mr. Mitchell's personal account that managed the Facebook page of 'CodeWritePlay' was invalidated, so there was no way to contact Facebook. Mitchell was left alone because of the possibility of a mistake, but a few hours later he was charged $ 25 again, which clearly determined that the hacker was misusing his credit card. He immediately called the bank to challenge the claim and canceled the card completely to prevent further claims.



Mitchell had adopted two-step verification for his Facebook account, which means that the hacker somehow broke through two-step verification. Mitchell speculates that the hacker first added himself as the administrator of the 'CodeWritePlay' Facebook page, and after that, changed the profile picture of Mitchell's personal Facebook account. The notification that Mitchell's wife saw was due to an operation performed by a hacker at this time, and as a result, Mitchell's personal Facebook account was invalidated.

On the other hand, the 'CodeWritePlay' page, which contains payment information for Facebook ads, is left with only hackers as administrators. The hacker is believed to have uploaded an ad for the product he wanted to advertise on the CodeWritePlay page and used Mitchell's payment information to deploy the ad. Although the ads posted were to promote products such as cameras, Mitchell points out that the links could be used to install other scams and malware.

Regarding Oculus Quest, by following Oculus support, we succeeded in separating the device and Facebook account, and it became possible to log in to the Oculus library again. However, he didn't get any advice on how to deal with Facebook accounts.

In addition, after Mr. Mitchell posted a series of articles, the page of 'Code Write Play' was deleted on the night of August 20 due to reports of users who are supporting us. Mitchell managed to prevent hackers from using Mitchell's page, but Facebook shut out real users who could stop ad scams, but Mitchell said it wasn't. It was doubtful that Facebook could really identify the pattern before the credit card was used, and accused the series of actions to be complacent.



in Web Service, Posted by log1h_ik