Facebook password scam?

I’ve received several emails today stating “We received a request to reset your Facebook password.
Enter the following password reset code:”

Is someone trying to hack into my account, or is this a scam email phishing for passwords? I can’t find anything suspicious in the headers or the link, and I can’t imagine my little-used FB account is worth hacking. Any ideas?

Yes. And more characters fuck Discourse.

Since you’re ruled out the links being phishing, my bet is they’re legit.

Maybe it’s “honest”? Somebody made a typo and is trying to log in as you instead of themselves.

Or maybe you’ve been on one or more hacked sites and people are systematically trying your other passwords? (Go to the have i been pwned? site and check. Just to be sure.)

There’s some value in a Facebook account that has had legitimate traffic, but bedevilled if I know what that is. SEO stuff with yandex, maybe? Pushing products on your ex-friends?

The purpose of that site seems to be to sell a product called 1Password. And it says whether your email (or phone number) has been found in one or more data breaches. Nothing about any passwords being breached. Is that correct? How serious would a finding of an email breach be?

I do recommend 2-factor authentication on all your sensitive accounts, which should include any email account you use as a contact for financial institutions etc.

The purpose of “Have I been Pwned” is to reveal if your account was caught up in data breaches on other sites.

If you’re the sort of person to use the same password, then it reveals that you’re at risk. The first thing hackers do with stolen account/password pairs is try them out on other sites.

Thanks for the feedback. It does appear that this is a case of 2FA successfully blocking an attempt to hack my account. Still can’t imagine what the point would be, except maybe to test out a password before trying it on my bank or something.

Realistically you’re not going to have a legit website checking if your passwords have been breached. How would that work? Enter all of your passwords into a website form? No thanks! But they can check whether your account info has been breached by checking for your email address.

Spam or real? Could be either. I regularly get emails in my spam folder that I assume are phishing attempts, because they are never actually from a facebook email. I’ve also gotten a few from facebook emails that were probably legit, but I assumed were just someone mistyping their email or some other honest mistake.

In fact, I got those emails last week. It was while I was sleeping, but I didn’t panic when I saw them, because I assumed they were just someone making a mistake and they shouldn’t have been able to bypass my password without email access, anyway. But nope, they did, no idea how. Unfortunately, I didn’t have 2fa on, and I lost the account. They changed my password, email, phone number, and turned on 2fa.

I’m glad the 2fa worked for you, because it turns out getting back a hacked account is near impossible. Let this be a lesson to anyone else to turn on 2fa immediately! Facebook security and customer service are both non-existent. It is impossible to contact humans, and their automation tools are all broken.

Like you, I wondered what anyone would want with my tiny little account. I mostly used facebook for messenger. My friend count is pretty low. But I have a couple of theories.

  1. I heard fb is really trying to crack down on fake accounts since January. Perhaps this is spurring them to steal real accounts with a history to spread spam or misinformation or whatever they do.

  2. They logged on to glean as much info from my account as they could and then abandon it. Many people have business pages, payments, and other useful things connected in addition to their main profile with names, addresses, places of work, family members, etc.

Apparently some hackers are posting terrible stuff to get your account banned. Idk if that’s just straight trolling, or if it’s the final step in theory 2.

I’ve actually heard of a lot of people getting hacked recently. I wonder if hackers are upping their game, or if it’s just a coincidence.

I will say, all this has really opened my eyes to what shitty security fb has, and how little they care about it. I’m not sure I’ll trust facebook enough to make a new one, but it’s really annoying to get by these days without one.

I have 2FA that sends me a text message when there is an attempt to change something. If I don’t enter a texted security number in a web form, nothing gets changed. And yes, there have been times someone has attempted to get into my account and triggered those texts.

No. See below.

Also they have a Donate page but I do not see any ads on the site. No idea how you concluded this was a front to push 1Password.

Here’s how it works. If you enter an email address, it will give you a report of breaches that included that email address. It gives information about each breach, including what personal information was included and whether passwords were included. It does not check your individual password, it just reports generically on what data was hacked in the breach.

Yes, it was a rhetorical question. I was asking @Roderick_Femm how he thought a website could check specifically for if your passwords had been compromised without getting you to enter your passwords.

As for 1Password, I got an ad for that as well but it might not have been the website pushing it.

Edit: the website definitely pushes 1Password. Have I Been Pwned: Why 1Password?

Interesting. Clearly an endorsement for the product, maybe a paid endorsement, but I see no link to it from the home page.

As soon as you enter an email or phone number and check it, the results page shows the three steps to password security, including subscribing to 1Password, and which has a link to the subscription page. This happens whether you have been pwned or not.

I have to say that the last time I checked how “pwned” I was, it used to not push any third-party product.

So I offer my apologies to those who found this offensive. I assure you that wasn’t my intent.

At this point, isn’t it reasonable to assume that pretty much every email address has been “Pwned”? I know this experience has inspired me to go through and clean up all of my passwords, and make sure 2FA is enabled wherever it’s an option.