Categories
Security

Microsoft Teams exploit may leave your account vulnerable

According to analysts from cybersecurity company Vectra, there’s a massive vulnerability within Microsoft Teams, and countless users could potentially be affected if hackers gets their hands on it.

The program has a flaw that makes it possible for attackers to steal the login credentials of users and log into their accounts. Unfortunately, Microsoft is not planning to patch this right now, so read on to make sure you’re staying safe from this unexpected Microsoft Teams issue.

This flaw, first discovered in August 2022, is pretty severe, but it’s also not too easy to execute. It applies to desktop versions of the Microsoft Teams software (so not the browser version) and affects users on Windows, Linux, and Mac.

It all comes down to the way Teams stores user authentication tokens — in clear text, without any extra protection. That would be disastrous if it didn’t rely on one key factor: An attacker needs to have local access to the system where Microsoft Teams is installed.

Assuming that an attacker does have local access to the network, they could steal the authentication tokens and log into the victim’s account.

Connor Peoples, a researcher from Vectra, said that the threat lies deeper than just one account being compromised; it allows the attacker to hijack accounts that could potentially disrupt the operations of a whole organization.

“[Taking] control of critical seats — like a company’s Head of Engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization,” said Peoples in the report.

How does this all work? Bleeping Computer explained it in greater detail, but the short story is that Microsoft Teams is an Electron app and comes with all the elements required by any regular webpage, such as cookies and session strings. Electron doesn’t support file encryption or establishing protected locations, which is why the user credentials are not being protected as they should be.

During its research, Vectra found a file with access to user tokens in clear text. “Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs,” the company’s report said.

Even more data was found upon further research, including valid authentication tokens and account information. Vectra also found a way to exploit the app and was able to receive the tokens in its own chat window.

Man uses Microsoft Teams on a laptop in order to video chat.

It’s concerning that this vulnerability is currently out there, but Microsoft doesn’t consider it a large enough threat to work on patching it as a priority. A Microsoft spokesperson told Bleeping Computer: “The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing it in a future product release.”

In the meantime, if you’re worried about the security of your Teams account, a good idea is to switch to the browser version of Teams instead of the desktop client. Linux users, however, are advised to simply switch to a different app — especially because Microsoft is planning to stop supporting the Linux version of Teams by the end of this year.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Computing

Hackers use fake tournaments to steal your Steam account

Hackers are once again targeting gamers, and this time around, you could lose your Steam account if you’re not careful.

Through the use of the Browser-in-the-Browser technique, hackers have been able to gain access to some high-profile Steam accounts valued as highly as $300,000. Here’s how the new hack works and how to make sure you’re staying safe.

Group-IB

This new phishing attack is being carried out by hackers who contact Steam users in a well-concealed attempt to steal their accounts. Some phishing attempts are extremely easy to spot, but in this case, the whole thing seems to be legitimate, which only makes it easier for the hackers to gain control of Steam accounts.

Hackers send messages to potential victims via Steam, asking them to join a game of Counter-Strike, Dota 2, League of Legends, Rocket League, PUBG, or another popular esports title. Even if the user doesn’t accept, the hackers request that they vote for their team and provide a link to a website that looks to be an esports organization.

The website is quite well made — you’ve certainly seen similar pages before. It supports 27 languages and detects the correct language from your browser settings.

In order to join a team and play in a tournament or just a friendly match, the users are asked to log in through their Steam account, complete with the username, password, and even authenticator code if they have enabled two-factor authentication.

There’s one problem, though. The login page is not an actual browser window. Instead, it is a fake window that’s embedded within the current page. With this phishing kit, the fake window can even be dragged around, minimized, and maximized, closely resembling a regular pop-up.

If the user inputs their credentials and successfully logs in, they are redirected to an address that also appears legitimate. This is done in order to win the hackers some time while the login information is being sent to the attackers. The threat actors then quickly change the victim’s email and password, making it harder to recover the account.

How to protect yourself

A Steam Deck sitting on top of a PC.
Jacob Roach / Digital Trends

Many people have fallen victim to similar scams in the past, but now that they’re on the rise again and even harder to detect, it’s best to be careful and take your account security into your own hands.

As Group-IB reports, the technique relies on JavaScript (JS) in order to work. Blocking JS scripts would protect you well, but most of us don’t want to do that — many popular websites use JS, so that would affect your entire user experience.

Instead, be careful with links you receive from people you don’t know, and even people you do know. Discord and Steam accounts often get hacked, so receiving messages with links, even from friends, can be suspicious. Make sure you verify you’re actually talking to your friend before you ever follow any links sent to you, and if the person is a stranger, don’t bother — just block them.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

A ‘high severity’ TikTok vulnerability allowed one-click account hijacking

A vulnerability in the TikTok app for Android could have let attackers take over any account that clicked on a malicious link, potentially affecting hundreds of millions of users of the platform.

Details of the one-click exploit were revealed today in a blog post from researchers on Microsoft’s 365 Defender Research Team. The vulnerability was disclosed to TikTok by Microsoft, and has since been patched.

The bug and its resulting attack, labelled a “high severity vulnerability,” could have been used to hijack the account of any TikTok user on Android without their knowledge, once they clicked on a specially crafted link. After the link was clicked, the attacker would have access to all primary functions of the account, including the ability to upload and post videos, send messages to other users, and view private videos stored in the account.

The potential impact was huge, as it affected all global variants of the Android TikTok app, which has a total of more than 1.5 billion downloads on the Google Play Store. However, there’s no evidence it was exploited by bad actors,” said TikTok spokesperson Maureen Shanahan. “Researchers involved with the discovery and disclosure praised TikTok for a quick response.”

Microsoft confirmed that TikTok responded promptly to the report. “We gave them information about the vulnerability and collaborated to help fix this issue” Tanmay Ganacharya, partner director for security research at Microsoft Defender for Endpoint, told The Verge. “TikTok responded quickly, and we commend the the efficient and professional resolution from the security team.”

According to details published in the blog post, the vulnerability affected the deep link functionality of the Android app. This deep link handling tells the operating system to let certain apps process links in a specific way, such as opening the Twitter app to follow a user after clicking an HTML “Follow this account” button embedded in a webpage.

This link handling also includes a verification process that should restrict the actions performed when an application loads a given link. But the researchers found a way to bypass this verification process and execute a number of potentially weaponizable functions within the app.

One of these functions let them retrieve an authentication token tied to a certain user account, effectively granting account access without the need to enter a password. In a proof-of-concept attack, the researchers crafted a malicious link that, when clicked, changed a TikTok account’s bio to read “SECURITY BREACH.”

A screenshot of a compromised account.
Microsoft

Fortunately, the vulnerability was detected, and Microsoft has used the opportunity to stress the importance of collaboration and coordination between technology platforms and vendors.

“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use,” wrote Microsoft’s Dimitrios Valsamaras in the blog post. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”

Although the TikTok app is not known to have suffered any major hacks so far, some critics have branded it a security risk for other reasons.

Recently, concerns have been raised over the extent to which US users’ data can be accessed by China-based engineers at ByteDance, TikTok’s parent company. In July, Senate Intelligence Committee leaders called on FTC chair Lina Khan to investigate TikTok after reports brought into question claims that US users’ data was walled off from the Chinese branch of the company.

Correction and update: This story has been updated with a statement from TikTok. A previously version of this article said that TikTok failed to respond by publication time. In fact, The Verge received their comment but failed to include it. We regret the error.

Repost: Original Source and Author Link

Categories
Game

Xbox Game Pass family plan leak hints at support for account sharing among friends

Microsoft’s forthcoming Xbox Game Pass Ultimate could allow you to share the subscription with your friends. In a tweet spotted by , frequent Microsoft Store leaker Aggiornamenti Lumia that indicates the tier will carry a “Friends and Family” branding. This is something we thought the company was working towards. In the two regions where Microsoft is currently testing Game Pass Ultimate family plans, customers can share their subscription with , as long as they’re in the same country.

Microsoft did not immediately respond to Engadget’s request for comment. Before the start of testing, there were that the company would introduce a family plan. Allowing customers to share its most expensive subscription offering with people outside of their immediate family would make a lot of sense for Microsoft. Not only would the feature encourage more people to try the new tier, but it would also likely earn the company goodwill since the industry standard in recent months has been to .

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.



Repost: Original Source and Author Link

Categories
Computing

How to deactivate your Instagram account

If you’re getting a bit tired of Instagram, you might want to consider deactivating your account. With Instagram, you have two choices: You can learn how to deactivate your Instagram account, or you can delete it completely. We’ll review both options, so you can decide if you’d rather take a break or cut ties with Instagram forever. Just be cautious, as deleting your Instagram account removes all of your content permanently, and you won’t be able to get it back.

Be sure to check out our guide on how to use Instagram if you need any additional help.

Temporarily disable your Instagram account

By temporarily disabling your Instagram account, your profile, along with its photos, videos, comments, and likes, will be hidden (until you reactivate it). Disabling your account is a perfect way to take a bit of a vacation from Instagram. Another option to consider is merely muting a few friends, if that’s your main reason for disabling your account.

Note: The following instructions only work for Instagram accounts that do not use a Facebook account to log in. If you want to disable your Instagram account but your account uses Facebook to log in, you’ll need to remove your Facebook account from your Instagram account and then reset your Instagram account’s password. To do this successfully, you’ll need to have access to the email account that is associated with your Instagram account. Once your Facebook account is unlinked from your Instagram account and you have reset your password for your Instagram account, you can use the following instructions to temporarily disable your Instagram.

Here’s how to deactivate your Instagram account:

Step 1: Visit Instagram.com using a web browser.

If not already logged in, log in to your Instagram account.

Step 2: Click on your profile photo icon in the top-right corner, then select the Profile option.


screenshot

Step 3: At the top of the page, click the Edit profile button.

Step 4: Scroll down to the bottom of the page and click Temporarily deactivate my account.

The deactivate account option on the desktop web version of Instagram.

screenshot

Step 5: Instagram will ask why you’re deactivating your account. Select a reason from the drop-down menu, and then enter your password.

Deactivating Instagram account on desktop web.

screenshot

Step 6: To complete the process, click Temporarily deactivate account. Then select Yes to confirm.

Your Instagram account should now be temporarily disabled. To enable your Instagram account again, simply log back in using the website.

Step 7: The above steps can work for anyone as long as they have a PC, an internet connection, and a web browser.

The Instagram mobile app can let users disable their accounts, but this functionality is currently only limited to iOS users at this time. If you’re an iOS user, you can disable your IG account on the mobile app using the following method:

Select your Profile picture > Three horizontal lines Menu icon > Settings > Account > Delete account >Deactivate account.

Then answer the on-screen prompts. Then select Temporarily deactivate account.

Permanently delete your Instagram account

If you know that you definitely won’t be coming back to Instagram, you can permanently delete your account. It is critical to note that deleting your account will remove your profile, photos, videos, comments, likes, and followers. There is no way to retrieve them once the process has been completed. Additionally, you won’t be able to use that same username again if a new user ends up taking it before you decide to sign up with it again.

If you are positive that you want to delete your account, follow these steps:

Step 1: Visit the Instagram Delete Your Account page. If not already logged in, log in to your Instagram account.

Step 2: Next to Why do you want to delete [your username]?, select an option from the drop-down box.

Step 3: Enter your Instagram password to confirm.


screenshot

Step 4: Click Delete [Your Username].

By following the above process, you will have submitted a deletion request to the Instagram team. After 30 days, Instagram will permanently delete your account and all information. Instagram notes that it may take up to 90 days for the process to complete.

Step 5: As with disabling an account, you can also delete your account via the Instagram mobile app, but only if you’re an iOS user.

Here’s how to do it: Select your Profile icon > the three horizontal lines Menu icon > Settings > Account > Delete account > Delete account > Continue deleting account. Then answer the on-screen prompts.

Then select Delete [your username] > OK.

Editors’ Choice






Repost: Original Source and Author Link

Categories
Security

Hackers have found a way to log into your Microsoft account

Account holders for Microsoft email services are being targeted in a phishing campaign, according to security researchers from Zscaler’s ThreatLabz group.

The objective behind the threat actors’ efforts is believed to be the breaching of corporate accounts in order to perform business email compromise (BEC) attacks.

Stock Depot/Getty Images

As reported by Bleeping Computer, BEC-based activity would see payments being redirected toward hackers’ bank accounts via the use of forged documents.

Zscaler, a cloud security company, said that targets were involved in various industries, such as fin-tech, lending, accounting, insurance, and Federal Credit Union organizations based in the U.S., U.K., New Zealand, and Australia.

At the moment, it seems the campaign has yet to be properly addressed by Microsoft, with new phishing domains being published nearly every day.

The campaign was originally detected in June 2022, with analysts observing a sudden rise in phishing attempts against the aforementioned industries, in addition to account holders of Microsoft email services.

Threat actors would incorporate links to the emails as buttons or HTML files that would redirect the target to a phishing page. Bleeping Computer points out how certain platforms don’t see open redirects as a vulnerability, which has led to these malicious redirects going through Google Ads, Snapchat, and DoubleClick.

Businesses and individuals are increasingly turning to multifactor authentication to secure their accounts. As such, obtaining a login email and password nowadays won’t provide anything of value to hackers.

Custom phishing kits and reverse proxies like Evilginx2, Muraena, and Modilshka have now come into play to bypass an MFA-enabled account.

A phishing proxy that essentially acts as a middle man between the victim and email provider service is capable of extracting the authentication cookies. Through this method, hackers can use the stolen cookies to log in and completely evade MFA for an account.

For this particular campaign, a custom proxy-based phishing kit was found utilizing the Beautiful Soup HTML and XML parsing tool, which amends actual login pages derived from corporate logins in order to incorporate phishing components.

Cyberattacks in general have nearly doubled since last year, while Microsoft itself started an initiative to tackle the rapid rise of cybercrime with its Security Experts program.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

NPM users can now connect a Twitter account as a recovery method

Developers who use NPM, the popular JavaScript package manager, will now be able to connect their Twitter and GitHub accounts to the software as a recovery method.

The move was announced Tuesday along with a handful of other features meant to combine enhanced security with usability for the GitHub-owned package manager.

In a blog post, GitHub said that the changes would make it easier for users to secure their accounts, while also streamlining some security features that users had found burdensome.

“The JavaScript community downloads over 5 billion packages from npm a day, and we at GitHub recognize how important it is that developers can do so with confidence,” wrote GitHub product managers Myles Borins and Monish Mohan. “As stewards of the npm registry, it’s important that we continue to invest in improvements that increase developer trust and the overall security of the registry itself.”

GitHub and Twitter accounts can now be used as recovery options for NPM.
Image: GitHub/NPM

Besides the ability to connect Twitter and GitHub accounts as an authentication method, GitHub also announced that the use of two-factor authentication (2FA) for login and package publishing on NPM would be made easier.

Per the blog post, NPM had previously trialed the use of enhanced 2FA logins in a public beta release, but after feedback from the community, decided that certain features should be tweaked in order to be more user-friendly. This included adding a “remember me for 5 minutes” option so that users who successfully authenticated could disable 2FA prompts for a short period of time.

“Account security is significantly improved by adopting 2FA, but if the experience adds too much friction, we can’t expect customers to adopt it,” Borins and Mohan wrote. “Early adopters of our new 2FA experience shared feedback around the process of logging in and publishing with the npm CLI, and we recognized there was room for improvement.”

The improved security features are being made available in NPM 8.15.0, released July 26th, the post said.

As a core part of the open-source software ecosystem for the JavaScript programming language, NPM has been targeted by a number of malicious actors over the years. One of the main strategies has been for attackers to take control of packages by purchasing expired domains registered to package publishers and using these to set up email accounts that can be used to receive password reset emails for the package. In light of this, increasing the use of 2FA when logging into NPM accounts stands to create big security improvements.

NPM’s parent company, GitHub, is also working to improve security on the larger code-hosting platform: earlier this year, the company announced that all users who contribute code would need to have some form of 2FA enabled by the end of 2023.

Repost: Original Source and Author Link

Categories
Computing

Your Facebook account could soon get multiple profiles

Facebook is testing a way to give its users more profiles per account, ostensibly to give users more opportunities for sharing posts and keeping up with the platform’s content.

On Thursday, Bloomberg reported that Meta (Facebook’s parent company) would begin experimenting with letting some Facebook users generate up to four other profiles in addition to their main account’s profile.

That’s right: The experimental functionality will let users have multiple profiles linked to a main account and those additional profiles aren’t required to have real names. Plus, each profile is expected to have its own separate feed. However, though each profile has its own feed, Bloomberg says that only one profile will “be able to comment or like another post.”

Interestingly, Bloomberg also reports that since all of a user’s profiles are still subject to Facebook’s rules and they’re all connected to a main Facebook account, then “rule violations on one profile will affect the others.” And TechCrunch reports that repeat violations committed with an additional profile can lead to the removal of the offending additional profile as well as all other connected profiles, which can include main accounts. So it seems that while this functionality may offer more ways to connect on Facebook, it could also come with more opportunities to lose access to those profiles.

But besides setting up a Finsta-like Facebook profile, what could these additional profiles be used for? According to TechCrunch’s reporting, it was suggested that these extra profiles could be curated to focus on specific interests or hobbies. As in, each individual profile would be created to focus on a specific topic like music or food.

Digital Trends also contacted Meta regarding this experimental feature and received a response. In the response, a Meta company spokesperson did confirm the existence of the feature and the testing of it:

“To help people tailor their experience based on interests and relationships, we’re testing a way for people to have more than one profile tied to a single Facebook account. Anyone who uses Facebook must continue to follow our rules.”

The multiple-profiles functionality is expected to allow users to switch between profiles pretty easily. It’s also worth noting that those who elect to use this feature are still not allowed to use their extra profiles to impersonate others. Even though you can pick out any name you want for these profiles, those names are still subject to Facebook’s rules, which means they can’t contain any special characters or numbers, and they have to be unique names.

Lastly, if you plan on doing things like running a Facebook Page or using Facebook Dating, just know that you can’t use your additional profiles for these. You’ll need your main account’s profile for those features.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Game

How to Log Out of a Fortnite Account on PS4

Chances are that you’ve at least downloaded Fortnite on PlayStation 4. After all, it’s one of the most popular games ever, as evidenced by the 27 million players who participated in the in-game Travis Scott concert. Even though it’s still insanely popular, there are a handful of things it could do better — like implementing a clearer way to log out of your account. This guide will walk you through how to log out of Fortnite on PS4.

There are multiple avenues you can take to log out of your account on PS4, all of which involve using a browser. This can be done from the PS4 itself or a PC, tablet, or phone. Since navigating the PS4’s browser is a bit clunky, you might want to consider using a separate device to do this.

Further reading

Logging out via PS4

After you launch Fortnite, you might be looking for a specific log-out option from the main menu. Unfortunately, it’s not that simple, but there is a way to ensure you’re logged out.

Step 1: Select Options from the game’s main menu, scroll down, and select the Support option. This will open up the PlayStation browser.

Step 2: You’ll be brought to the Epic Games website, so once the page loads, head to the top right of the screen and select Sign In.

Step 3: Use this to sign in to your Epic Games account (keep in mind that you might have to use a verification code to get signed in).

Step 4: After you’re in, go back to the same spot, and you’ll see your username. If you hover over it, a new option will appear labeled Account — select that option.

Step 5: This will direct you to a new page with several options on the left-hand side of the screen. You’ll want to click the Connections option.

Step 6: The submenu defaults to Apps, so click on Accounts. This will allow you to see a list of every Fortnite connection you’ve made, including the PlayStation Network.

Step 7: Select PlayStation Network, check all the boxes, then press Unlink. That logs you out of your Fortnite account on PS4. You can use the same steps to log out of other systems like Xbox One and Nintendo Switch.

Changing the user

To change to a different user, you’ll need to follow a couple of steps.

Step 1: Reboot the game.

Step 2: Upon rebooting, a sign-in page will appear on the screen. On that sign-in page, you can type in your preferred PS4 user info to switch accounts or add a new account entirely.

Logging out of a PS4 account via a PC

To log out of Fortnite on PS4, whether you’re using a phone, tablet, or PC, you can also follow the same steps listed above. You may find that the logout process seems even easier; your favored web browser may seem more familiar than the PS4’s browser. From start to finish, you’ll find that logging out via a PC is almost exactly the same as logging off a PS4 system.

Step 1: Navigate to the Epic Games website and log into your account using the top-right option (which is thoroughly explained above).

Step 2: Once you’ve finished that, you can investigate through your account.

Step 3: Click on Connections and unlink your PSN account. After you’ve disconnected that link, when you reopen Fortnite from your PS4, the game will prompt you to log in or create a new account.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

How to recover when your Facebook account is hacked

Hopefully, the day will never come when you find your Facebook account has been hacked or taken over. It is an awful feeling, and I feel for you, for the world of hurt that you will experience in time and perhaps money to return your account to your rightful control.

Let me take you through the recovery process. Afterward, I’ll provide some proactive security pointers you can follow to prevent this awful moment from happening, or at least reduce the chances that it will.

Three ways you can lose control of your Facebook account

There are actually three different possible scenarios.

Scenario 1. You let a family member or friend “borrow” your Facebook account on your computer or phone. They proceed to consume content, post messages as you, or befriend random people. This happened to a friend of mine, who had a grandchild staying at her home for a week. The girl left town and left a mess behind on my friend’s Facebook account. “She didn’t post anything to my account, but I had odd friend requests that I had to clean up. I decided to just quit using my account.” This is more of a nuisance than a hack, but still annoying.

Remedy: First, use Facebook’s security page to check and see where else your account is already logged in.

This list should also remind you of all of the devices that you have used Facebook on in the past. I took this screenshot after I found (and then removed) an older Windows laptop that I hadn’t used in years on the list. You’ll also see an entry for my iPhone that is located somewhere in Indiana. I haven’t visited that state in years, so sometimes the geo-location algorithms are a bit wonky. Even if your account isn’t hacked, it is helpful to routinely check this screen to make sure you haven’t enabled a login by mistake.

If you don’t recognize (or don’t use) any of the devices on this list, click on the three vertical dots on the right and force those machines to log out of your account. Next, change your password to something unique. Also, remember in the future to sign out of Facebook (and Messenger) before you loan your device to anyone.

Scenario 2. Someone uses your photo and name and sets up a new account. Then they proceed to try to recruit your FB friends to their account.

Remedy: There isn’t much you can do about it, other than tell people you are still you and to ignore the imposter. This should be a warning when you receive a friend request from someone you think you have already befriended, or someone you haven’t communicated with in years. A word to the wise: send them an email or text asking if the request is genuine.

Scenario 3. The doomsday scenario. Someone guesses your account password and proceeds to lock you out of your account. This situation is the most dire, and fixing this will depend on what else you have linked to your Facebook account and how determined you are to get it back.

This happened to Elizabeth, a book author. She ended up working with two different friends who were IT professionals and a lawyer over the course of four months. She had two complicating factors that made recovering her account difficult.

First, she used Facebook ads to promote her books, so she had connected her login to her credit cards. This resulted in the hacker charging her card with their own ads to try to lure other victims to compromise themselves.

The second complication was that she was using her pen name and a random birthday date for her account. During the recovery process, Facebook asks that you scan your ID to verify who you are. When she told me this, I became concerned for myself. For years I prided myself on using January 1 as my Facebook “birthday.” Now she was telling me that I was setting myself up for trouble if someone hacked my account.

She eventually got her password reset, but almost immediately the hacker reset and took over her account again. “I tried to get someone at Facebook to help me, but I couldn’t get anyone on the phone,” she told me. Before the pandemic, the company had a special phone hotline for industry insiders, “but this was discontinued,” she said. She had more success blocking the credit card charges by phoning her bank. “I was trying to be a step ahead of the hacker, and losing sleep. My whole life was put on hold as I tried to deal with the situation. I got no work done for months. I ended up changing my passwords on more than 30 different accounts.”

Possible remedies: if you find yourself in this last situation, you have three basic choices:

1. Now would be a good time to leave Facebook. The trouble is, you have someone who is pretending to be you, and could leverage your identity into criminal and uncomfortable situations. Not to mention that they could try to leverage bank accounts that are linked to your account or open up credit cards in your name. (More on that in a moment.)

2. Try to reinstate your account on your own, using Facebook’s own obscure and oftentimes contradictory steps. That is the way most people I know have tried. However, you will find out very quickly that there is no easy way to do this. You have to communicate with Facebook support through someone else’s account, which seems somewhat contradictory, so hopefully your spouse or friend is willing to lend a hand. (Don’t be tempted to set up a second account, because that could result in both of your accounts eventually being canceled.) Then you have to choose one of several options (finding an unauthorized post, an account that uses your own name and/or photos) and enter the rabbit hole to recover your account.

If you use Facebook as a means to log into other internet services, you will have to disconnect these links — otherwise a hacker can then compromise these other accounts. If, like Elizabeth, you have connected your credit card or other financial accounts, you will have to contact these institutions and get these charges rescinded. Start by trying to use Facebook from other devices you have previously used: perhaps the hacker hasn’t automatically logged you out.

3. Use a third-party recovery service, such as Hacked.com. This will cost you $249, but the company will be persistent and if they can’t help you, they will refund your fee. You also get a year’s digital protection plan included that normally sells separately for $99. If you have a complex situation like Elizabeth (connected finances, non-matching birthday), I recommend using this path.

But make sure you aren’t employing some random hacker who might be taking your money and doing nothing else. I spoke to Hacked.com founder Jonas Borchgrevink, who outlined the various sequences of steps that his staffers try in a recent Washington Post article. And he confirmed that if you are using a different name from what is shown on your ID, it is almost impossible to recover your account.

Proactive security measures

If you haven’t been hacked (yet) and are getting somewhat uncomfortable reading this, here are some steps to take to secure your Facebook account, or to at least reduce your pain points if it does happen. Start by doing at least one of them today, and make sure you take care of all of the items as soon as possible.

1. Set up additional login security on your Facebook account. Facebook offers you a set of confusing choices, but the one that I recommend is to use a two-factor authenticator app such as Google Authenticator. (You can start at this Facebook page.)

Two-factor authentication (also known as 2FA) uses an Android or iOS smartphone app as part of the login process. After you supply your username and password, Facebook asks you to type in a series of six numbers that are generated by the app. These numbers change every minute, so you need your phone nearby when you log in. If you want extra credit, take the time to enable this second factor method on your other accounts, including any banks and credit card companies that support this method (sadly, too few do).

Elizabeth was using a less secure method for her second factor: sending the six numbers as a text message to her phone. You can read more about why this isn’t my preference.

2. Check to see if you have any payment methods configured on Facebook. While preparing for this article, I was surprised to find my PayPal address linked to my Facebook account — and I thought I was being careful about my Facebook security. There are two places to check. First, there is the page that shows if you have set up any credit cards to make direct payments to individuals or causes, called Facebook Pay. Go to this other link to remove any ad payment methods. If you are running any ad campaigns on your business, you will have to stop them first.

3. Remove connected apps and websites. If you have signed on to third-party apps using your Facebook credentials, now is the time to review and remove them (you can find the appropriate page here). The same is true with removing any business integrations. You take a small hit in not being able to automatically log into these other services, but you also protect yourself if your account has been compromised.

If you have a Facebook business page, you should have at least two people who have admin rights to this page. (Go to Page Settings > Page Roles.) If your business account is hacked and you are the sole admin, it will be next to impossible to get it recovered. This contact should also have second factor authentication turned on.

4. Check your account’s email contacts (using this Facebook page). You should have at least a second contact email (or more) that Facebook can use to send you notifications in case your main email address becomes compromised. Of course, use different passwords with these different email accounts.

I know, this seems like a lot of work, and there are a lot of places in the Facebook settings pages that you will have to visit and pay attention to. And chances are, the links provided above might not work in the future, as Facebook likes to make changes to its settings.

If these activities to make yourself more secure haven’t gotten you frustrated, you might want to continue improving your security. I recommend either the Jumbo smartphone app for iOS and Android, or Avast One (available on Windows, Mac, iOS, and Android). Either can help walk you through the numerous steps to secure your Google, Twitter, and other accounts.

Parting words of wisdom

Think before you click. If you get a message from what looks like a social media company saying that your account has been compromised, don’t follow any links or call any phone numbers in the message. This could be a lure from a hacker. Instead, navigate to the site or use its own app directly.

Be aware of things that seem unusual. Keep an eye out for messages you didn’t send, posts you didn’t create, or purchases you didn’t make. These could be tells that someone has guessed your password or compromised your account. If you are lucky, it might be an errant teen using one of your computers.

As Elizabeth told me, “Being hacked is like getting a digital tattoo — everyone can see the after-effects of your poor choices.”

Repost: Original Source and Author Link