Has My Facebook Been Hacked?

 

Is It a Hack? Or a Different Type of Exploit?

What Causes My Messenger to Spam my Friends?

Recently, I am seeing a spate of folks warning friends their Facebook has been hacked.  This is usually preceded by their account sending out messages to everyone on their Friends list. The user assures everyone s/he has changed his/her password, and thinks s/he has done what is necessary to re-secure the account. But have they really? Unfortunately, the answer is no. Changing a password will ONLY help protect you IF, in fact, someone has discovered your username and password, and has used that information to log into your account. Generally, the first thing someone who hacks your account will do is change your password, and quite possibly the associated e-mail or phone number too, effectively locking you out of your own account. 

In this post, we'll review the difference between a "hack" and other types of Facebook Exploits. And we'll review what you NEED to do should you be caught in any type of Facebook Exploit.

A friend recently posted the following, after her Messenger spammed her whole Friend List with an invitation to join.

I was lucky enough to receive the message, but knew not to click through. I then did the responsible thing and messaged her back to see if she had meant to send me the link. 

If you can have an exchange like the one in the screenshot, chances are you have NOT been hacked. It is a different type of exploit.

If It's NOT a Hack, What Happened?

More often, what has happened is you've encountered a "rogue app," or you have given a legitimate app a permission you did not want to. In the CashApp example shown in the screenshot, you most likely gave CashApp, a legitimate app, permission to send your friends a referral link via Messenger. 

CashApp has what is called a "referral bonus program." This means you get a reward for every friend you get to sign up and start using CashApp, if they enroll via the link you send them. 

These are the CashApp terms for getting a referral bonus:

Earn a bonus when a friend uses your invite code to send $5 or more from a newly created Cash App account. To receive the bonus, make sure your friend:

•     Enters the invite code when they sign up
•     Links a new debit card or bank account to their Cash App account. People under 18 can activate a Cash Card instead
•     Sends $5 within 14 days of entering the invite code

Sponsors cannot receive an invitation bonus from inviting anyone with an account that they authorized.

To see your invitation bonus amount, tap the profile icon on your home screen. 

But BECAUSE of the popularity of CashApp, and the money anyone can get through helping others to sign-up, there are a LOT of cloned sites, phishing attacks pretending to be CashApp, and folks who will try to trick you to sharing THEIR referral link instead of your own. (If you suspect, you fall into this category, keep reading. We'll tell you how to handle that later on.) In other words, you may have fallen for a scheme that pretends to be CashApp, but is actually something else. This is NOT a "hack" per se, but it IS an unwelcome, potentially dangerous exploit.

NOTE: The web URL for Cash App is NOT CashApp.com or CashApp.biz. Those are both sites trying to trick you into enrolling through them, so that they can steal your referral bonus and maybe cause other harm too. The web address for the REAL app is cash.app. CashApp is owned by Square, a popular online and offline payment processor. CashApp may use Square domains, like Square.com or squareup.com, as well as its own dot app domain in communications.  Communications from cashapp.com are fraudulent, as are links to cashapp.com.  Cashapp.com is an active, hosted domain, but it does NOT belong to CashApp, the payment service.

So What is the Harm in Inviting My Friends?

There is no actual harm in participating in the CashApp referral program, other than pissing off your friends by spamming them. However, CashApp offers an "invite by e-mail" option, which will filter out those already enrolled. This is the option you should use, rather than connecting your messenger to the app.

The danger comes from using a cloned or rogue app to share your referral code. You may be allowing a rogue, copycat app to connect to your Facebook and to post on your behalf, something dangerous for BOTH you and your connected friends. MOST CashApp links sent via Messenger are actually scam apps. (Keep reading if you think this describes your situation.)

If you are not sure whether you shared legitimately, you need to follow the steps BOTH for disconnecting an app AND for recovering from a hack. Better safe than sorry later. Your account very well may be sharing malware disguised as a legitimate referral code.

I Didn't Connect Messenger, Yet CashApp Still Spammed My Friend List

Chances are, this means you used a Referral Scam to enroll in CashApp yourself. CashApp referrals can be very lucrative, which is why many scammers build their own mini-app that piggy-backs on the official one.

Since a user gets $5 for every sign-up made through their link, a LOT of folks try to exploit this. They create fake phishing domains that clone the Official App rather well. They have you sign up through their own rogue app, giving them the referral bonus. Problem is, that also gives them all of your personal info you need to give CashApp when you open an account. Their malware then uses that information to enroll you in CashApp, as well as gives Bad Guys the ability to access your account. They then use your info, as well as the "invite ability," to generate a referral link giving THEM the bonus, and they use your CashApp info to spam your friends, including sending Facebook Messenger invites to all of them. They may or may not exploit your CashApp and any connected accounts too.

If you suspect you have fallen for a phishing scheme by enrolling for CashApp through a rogue app, you need to change your CashApp pin ASAP. If you DO NOT see CashApp in your list of connected apps, that means you used a rogue app to enroll, and that rogue app or link is the one exploiting your Facebook. If you suspect that is the case, consider closing your CashApp account and opening a new one, through the Official App itself, with a different CashApp "handle." Also notify whatever bank you may have connected through the original account, and ask them to put a fraud alert on that account. Do the same if you have connected a credit or debit card. 

It may also be another rogue app that resulted in the messages being sent. Keep reading, and we'll tell you how to handle that too.

My Friends Were Messenger Spammed, but NOT by CashApp; What Do I Need to Do?

Any time you use Facebook Login, or play a game, take a quiz, or otherwise use a third-party app on Facebook, you grant that app and website certain permissions. Often, these permissions include allowing an app or website to "post as you," either on your Facebook Timeline, using Messenger, or both. If an app or website posts as you because you have given it permission to do so, changing your password will NOT alleviate this.

Instead, what you need to do is audit your permissions. To do this, go to Settings, then Security and Login, then Apps and Websites. This will give you a list of connected apps. Once there, you can either "View and Edit," or "Remove." 

"View and Edit" will let you see the permissions you have granted the app, and selectively decide what to keep or sever. Remove will sever the app permissions completely.

Let's look at the permissions one grants to GoFundMe.  The permissions in the screenshot are typical if you have allowed GoFundMe to share to Facebook on your behalf (by using the Share button on a campaign.) In order for it to share a campaign on your behalf, it MUST have access to your Friends list.

If you want to share GoFundMe campaigns with one-click, do NOT revoke that permission. (If you do, you will need to give it that permission again the next time you choose to share a GoFundMe campaign using their share button.)

If you choose to remove an app, you should see a notice similar to this:

(This was an app I connected in order to enter a sweepstakes, years ago. This is why it is a good idea to audit your app permissions on the regular. I connected this app in 2014, and haven't used it since I did not win that sweepstakes. It does not still need to be connected in 2022. It may "go rogue" at any point and misuse my permissions.)

Once you click on "Remove," it severs its connection to your Facebook Profile and removes all permission to use your information. The app can no longer "post as you" either.

For  more on rogue apps, the permissions you grant, and how those may not be a good thing, visit Techlaurels, our Sister Site, and read these posts:

• FaceApp: How Dangerous Is It?
• Disconnect Your Facebook Apps to Protect Your Personal Data
• Privacy Implications of Sweepstakes, Freebies, and Like-Farming Sites
• More on Internet Quiz Sites and the Associated Dangers

I'm Not Sure if it's a Hack or a Rogue App? What Do I Do?

If you're not sure if it's a hack or a rogue app, you need to take a few steps. Basically, you need to treat it like you have been hacked, AND like you've given a rogue app permission to post things on your behalf. 

First of all, change your password. Consider going to Have I Been Pwned to check to see which of your passwords have been compromised and are available to hackers trying to break in to your accounts too. You can check BOTH e-mail addresses and phone numbers using this tool. 

Next, you need to check to see where and on what devices folks are logged in to your account. To do this, go to settings, Security and Login, Where I am logged in. 

This will give you a list of ALL devices, locations, browsers, etc. currently logged in as you on your Facebook. It is common to see multiple entries for the same browser, due to the way browsers work. You may also see more than one entry for a mobile device. If you do not recognize a device or browser, use the Hamburger Menu (3 dots) to log that device or browser out of your account. If you make a mistake, you will just need to log back into Facebook on that device the next time you try to use it. If you REALLY think you've been hacked, log out of ALL sessions. 

Just changing your password DOES NOT log active users/sessions/devices out. That means your hacker may still have an active connection to your account, even though you have changed your password. You NEED to disconnect that session to disconnect the hacker from your account. If you fail to do so, the hacker still can change your password and/or recovery e-mail to lock you out of your own account. TOO MANY PEOPLE skip this step, and wonder why their friends are still getting spammed.

What Other Exploits Do I Need To Look For?

Today, rather than hacking the Facebook Account you actively use, a nefarious type will clone your account instead. What this means is they open a 2nd Facebook Account using your name, or a variation on it, as well as your profile photo (or other Public Photos in your account.) Then they either use the personal information they've stolen through a rogue app and/or your Public Friends List to send Friend Requests to all of your Facebook Friends, usually under the guise of opening a 2nd Facebook Account, or claiming they "got a new phone" and cannot log in to an existing account. This is why you need to be wary of Friend Requests from folks you are already Friends with.

Chances are they will use that cloned account to Messenger Spam your friends and/or to post links to malware pages and malware apps. They might also exploit your Friends Lists for other types of scams, including "Romeo Scams," info stealing scams, and affiliate bonus scams. 

I like to periodically search my own name on Facebook to see if anyone has tried to clone me. I also reach out to friends, usually by tagging their current Facebook Profile with a post saying "I got a friend request from you; did you open a 2nd account? Anyone know?"  BEFORE blindly accepting the request. Usually someone, if not the account holder, will reply with "Yes, [name] lost her password and can't get in to the old account on the new phone," or the account holder will reply with "Nope...not me." If I get the latter response, I report the fake account to Facebook so they will (hopefully) shut it down.

Anything Else I Need to Do?

I have 2FA (two-factor authentication) enabled on my Facebook Account. This means I need to verify who I am through a 2nd method before a site lets me in with just a username and password combination. For most sites, this means receiving a code via text or e-mail that I need to enter, in addition to a password, in order to log in. Facebook allows you to use Code Generator, a part of the mobile app, to get that code. If you don't have access to Code Generator, Facebook will use text or e-mail to send you the 2FA code.

I suggest folks enable 2FA on any site that offers it, but definitely on banking, credit card, and payment app sites. I additionally suggest using it on domain name registration sites, as well as ALL social media. This means enabling 2FA on Facebook, Twitter, and Instagram. It makes it a LOT harder to impersonate you at log in, especially if they got your information from another site that did not safeguard it as they should. Enable it on ANY site "Have I been pwned" tells you both your username and password are in its database. It helps safeguard you against having your stolen information used against you. 

I've Done EVERYTHING You Suggested; Are My Accounts Bullet-Proof Now?

I wish I could say "yes," you've made your account impossible to compromise, but alas, that is not the case. It is virtually impossible to "bullet proof" ANY account hosted in cyberspace these days. Cookie-exploits, phishing attacks, and good old social engineering can still be used as break in tools. But if you've done everything suggested in this post, you have done the most you can do to safeguard your social media. You've at least made it harder to exploit. 

Unfortunately, Bad Guys are trying to scam you on the regular, and all you can do is make it harder to do so. Techlaurels shares information related to cybersecurity, current exploits, and protecting yourself on our Facebook Page, and the blog is full of helpful tips. You may want to follow Techlaurels on Facebook if you are interested in seeing the latest in these areas.

You need to be careful of participating in innocent looking "viral shares" as well. Many of those "Let's learn about each other" types of posts are just masks for scammers looking to steal answers to your security questions so that they can break into your accounts more easily, and bypass all those precautions you've enabled. So stop participating in those list type posts that ask things like your favorite color, your 1st car, your pet's name, and the like.

Bad Guys will not hesitate to call a support number and pretend to be you, in order to get Support to let them into YOUR account. Often, they can compile enough information from your own posts to get the info they need to do so. 

However, if you follow all the steps outlined here, you're about as safe as you can be. Even if you were NOT hacked yet, you should secure your account to make it harder to do in the future. And you should pay attention to the permissions you are giving websites and apps at the time you give them in order to keep from getting exploited in the first place. In other words, follow these steps, and you've made it a LOT harder for them to hack your account.

If you have any questions about recovering from a "hack," securing your accounts, or anything else related to this topic, you can ask them in a comment here or on LifeLaurel's Facebook Page. We will do our best to answer them. Securing your accounts, and understanding how to do so, is paramount to protecting yourself online. It is something we all must think about and understand.