Facebook Hacking

From: william (WILLIAMA)23 Sep 22:38
To: ALL1 of 10
Mrs WmA has been receiving  FB notifications that somebody has logged on to her facebook account from an unexpected location. Her account is locked until she changes her password. This is the genuine biz from the look of it, not some phishing thing. This has been a daily occurrence for a while. For instance, this w/e we were in Edinburgh and neither of us had PCs (just Android phones) and she got a notice that somebody using Chrome on Windows had logged in at 04:00. She dutifully changes her password but it doesn't seen to help. She also had a notice that she had been banned from tagging people a couple of weeks ago which made no sense since she has no recollection of ever having tagged anybody ever (unusual but true). But then I spotted a post, supposedly from her with loads of people tagged that neither of us knew, advertising some bizarre fat-fighting product. Soon after, the 'change your password' notification arrived.

So what's happening? She's tried all sorts of passwords, including some really tough ones, but it doesn't seem to help. We've scanned all our devices with more virus checkers than you can shake a stick at. Is there a brute-force-password-cracking-bot with a grudge on her case?
From: CHYRON (DSMITHHFX)24 Sep 14:33
To: william (WILLIAMA) 2 of 10
This is probably out of date but may still have some relevant pointers

https://null-byte.wonderhowto.com/how-to/4-ways-crack-facebook-password-protect-yourself-from-them-0139532/
From: Matt24 Sep 17:18
To: william (WILLIAMA) 3 of 10
Check the email address linked to the account hasn't also been compromised?

Enabling Two Factor Authentication on her Facebook account might be a good first step.

Also, on Facebook, go to Settings > Security and Login and you can see a list of devices where you are logged in. If you expand the list you can log out of all devices.
From: william (WILLIAMA)24 Sep 17:31
To: Matt 4 of 10
Email address is OK. I've tried to get her to do 2 factor authentication, but without success so far.

I'll see if I can persuade her to do the logout thing - ta for the suggestion.
From: william (WILLIAMA)25 Sep 17:50
To: william (WILLIAMA) 5 of 10
Well, I managed to get her using 2 factor authentication for Facebook. In the meantime, she had notifications from Amazon that somebody had tried to login repeatedly (genuine notifications, not the West Central African variety), and from ebay that there was an item in her shopping basket that had been there for a month and did she still want it. She checked and it was a £1500 laptop. So - new passwords for Amazon (just in case) and ebay. The ebay security people said they thought her email account was the access route - yet another new password. I got her to run a full scan using Norton, the free online one, and then Bitdefender, which she has running anyway. Both came up clean.

I didn't speak to the ebay people, but Mrs WmA said they sounded 'pretty confident' that the route was via her email, so maybe they know something we don't.

Good news that whoever got into her ebay account couldn't access Paypal or any of her other payment methods. And good news that I managed to convince her to use properly strong passwords even if they are now written down on paper.
From: Matt25 Sep 17:50
To: william (WILLIAMA) 6 of 10
Two Factor on Facebook is much easier if Mrs WilliamA has the Facebook Android/iOS app as they can be used to verify the login attempt. If you want to use another 2FA process/app I highly recommend Authy.

But definitely don't use SMS.
From: william (WILLIAMA)25 Sep 17:57
To: Matt 7 of 10
It probably would be easier, but she's happy getting text messages - yes, I know. I shall leave it a week or so until the temperature cools down* and then suggest Authy. In fact, I may start using that myself, thank you!


*her Fitbit has stopped cooperating too and as I am the tech support in the house, the hacking and her Fitbit problems are clearly linked and it's certainly my fault.
EDITED: 25 Sep 17:57 by WILLIAMA
From: william (WILLIAMA)26 Sep 11:08
To: Matt 8 of 10
I've passed the IP address and login times (from the Facebook alerts) to Sky abuse. They might be interested I suppose, as it's a PC using a Sky address. Took a second look at the alerts and it's definitely her email that was compromised (login was via a code + her email address). Hopefully all fixed now.
From: CHYRON (DSMITHHFX)26 Sep 14:30
To: william (WILLIAMA) 9 of 10
"it's a PC using a Sky address."

Might be, ip might be spoofed.
From: william (WILLIAMA)26 Sep 15:30
To: CHYRON (DSMITHHFX) 10 of 10
True.