How to hack a Facebook account

How to hack a Facebook account easily or online Facebook hacker are some of the keywords that are searched for most these days. Throughout this (extremely long!) article, I will describe various methods on how a third party could have someones Facebook account password as well as how you can avoid getting your own Facebook account hacked.

I have been the head IT security for a major firm for a couple of years, and in private, people tend to ask a lot of the same questions:

  • Do FB hacking software really exist?
  • Where can I get a free online Facebook cracker?
  • I have forgot my password. Do you know of a Facebook password finder?
  • Can you teach me how to hack someones Facebook password?

Until we developed our patented Blue Portal Facebook Password Hacker, no tool existed that could hack a Facebook account automatically. A quick web search will show you that a lot of sites offer such services, however, I can guarantee you that our Facebook password hacker is the only working one.

Most of the other sites will either ask you to fill out a survey, or even make a payment to some foreign account. Even after doing this, you will still not receive an incorrect username and password since their Facebook hacker really does not work. All these fake services do is waste your time and money and for this reason, our FB password finder only asks you to make a payment once the account has actually been hacked successfully.

If you don't have any money, or simply want to learn how to hack a Facebook on your own then read on; in this article we will explain in detail exactly how to do that.

online facebook password hacker

Before we get into too much detail, it is worth noting that the methods below are somewhat generic which means that they will work for any social media website such as Instagram, Twitter, LinkedIn, SnapChat etc.

It should be noted that this article is strictly meant for educational purposes. We are not responsible for any michief you might do as a consequence of reading this article.

Phishing attacks

One of the most common ways to hack not only Facebook passwords, but passwords in general is by phishing. Phishing is very popular, mainly because it is so easy to set up a phishing page. Furthermore, detecting a phishing attack is getting harder and harder despite the numerous safety efforts done by browsers such as Google Chrome and Mozilla Firefox. For example, complex schemes such as homograph phishing attacks are next to impossible to detect by browsers and users alike.

So... what is phishing?

In simple terms, phishing is the practice of replicating a popular website layout to such a perfection that it fools visitors into thinking it is the real site.
This allows the phisher to steal usernames and passwords from the visitor once he tries to log onto the phishing site with his real credentials.

So, in order to hack specific persons Facebook page, you will first have to design a page that looks exactly like the login page at Facebook, but on a different domain name. For example, you could register the domain name facebook-login.com, facebo0k.com etc. Essentially any domain name that at a first glance looks like facebook.com will work. The whole point of phishing is that the user clicks the phishing link from an email, forum or another media without suspecting anything. He then enters his username and password which is saved in the hackers database. Once the victim clicks the log in button he is redirected to facebook.com and can simply log in again on the real site.

Some people learn better by a practical example:

A malicious hacker who want to hack Alex' Facebook account uploads a Facebook login page to his domain faceb00k.com. The hacker then sends Alex an email telling him that he needs to change his password. The email looks like a legitimate email coming from facebook.com so Alex happily clicks the link in the email that leads to the hackers' phishing page. Once Alex has entered his username and password it gets sent to the hackers email and he can now proceed to log into Alex FB account and do as he pleases.

Now, you might wonder how on earth Alex could have protected himself against the phishing attack. The main thing you can do is to never log into a page that was linked to. If you need to log into Facebook then manually type facebook.com in your browser. This way, you never expose your login details to the hacker since you never typed your username or password onto his site. Of course, this is very annoying in the long run however it is the best approach to protect your FB account against phishers.

You can also check the domain name of the URL to manually verify that the site is actually the one it pretends to be. This is generally a safe method as well, however advanced attacks such as homograph attacks will still fool you in this case.

Below, we have shown pictures of a couple of Facebook phishing sites, check them out and see if you can spot the differences between those and the real site.

facebook phishing attack

Even though the above site has an SSL certificate, it is not authentic. People often confuse a site having an SSL certificate with it being authentic. Obtaining an SSL certificate these days is very easy as several services such as CloudFlare provide them completely free of charge.

While this URL does not contain HTTPS, it still looks very similar to the real Facebook domain.

This article is a work in progress, therefore we will gradually update it with new hacking methods so stay tuned.

Social engineering

This is yet another extremely popular and powerful method for hacking Facebook accounts. What makes this technique especially dangerous is the fact that it requires little to no technical knowledge and this is the main example on how to hack someones Facebook password for free. Any average Joe will be able to perform social engineer for FB account hacking at a basic level.

social engineering is easy on Facebook

Basically, social engineering is the the technique of collecting as much personal information about the person behind an account as possible. Common details are stuff such as the date of birth, maiden name and cities whom the target has lived in; however more specific information is also collected such as the first pet name, the favorite highschool teacher, the favorite book etc.

So how does social engineering work?

Nowadays, the vast majority of websites include the option of resetting the password of the account in case the owner forgets it. In order to recover the password, the person needs to answer a question about a personal detail such as the ones previously mentioned. Naturally, only the account owner is supposed to know this but if a third party gets hold of this information then he/she could effectively hack the Facebook password of the targets' account.

How to make up a good security answer

Having a secure security answer is as important as having a secure password. Don't use information that is publicly known such as the city you were born in or your mothers maiden name. Hackers can look up this information online and thus reset your password. Additionally you might want to enable login alerts which can be activated through the Facebook security settings which will alert your through phone or email whenever an unknown user logs into your Facebook account. Furthermore, Facebook have recently introduced the option of choosing friends to help you log back in. In case you forget your password you can contact these friends and ask for their special codes which in turn can be used to log back into your account.

Password recovery by using Facebook friends

Do not use weak or obvious passwords

Security questions are only one aspect of social engineering. Another aspect is the password itself. Even if the hacker cannot guess the answer to your security question he might be able to guess the password of the account itself and therby "hacking" the Facebook account simply by logging in.
Just like the security answer, the password should be hard to guess and not include obvious details such as your birthday, your name, your favorite sports team etc. Keep in mind that information like this is extremely easy to look up on Facebook so you have to be extra careful when securing your account from Facebook password crackers.

One of the primary reasons people use social engineering is because it is one of the best examples on how to hack a facebook account password without downloading anything since the hacker can do it by simply messaging the victim.

How to hack a Facebook account profile through a third party

While it isn't impossible to hack a Facebook password without software, it certainly is cumbersome. Therefore, if you are already a skilled hacker then you might be better off targeting a third party website that the target is already a member of. Your best option is to target a poor quality website since they tend to not sale or hash the passwords and simply store them in plaintext in the database.

passwords stored in third party databases

The reason why this often works is due to the fact that the vast majority of internet users tend to reuse the same password for all their online accounts. Thus, if you can hack the password which the target used on a third party site then it is very likely that you just got the password of the victims Facebook account as well.

In order to find other sites that the target is using, try searching on Google for their name, interests or local communities that he/she might be a member of.

Creating your own third party decoy

If you were unable to find/hack any third party sites that the victim is a member of, you might be better off creating your own third party website. If the target is interested in horses, create a local horse forum/community and invite him to join. Most likely he'll join and use his Facebook password to sign up. Now, simply look in your sites database and grab the password he signed up with and try logging onto Facebook by using it. If you're in luck, it will work and you have effectively hacked a Facebook account.

How to protect your Facebook account against a third party hack

The first rule of thumb is to never trust low quality websites. You don't know who owns them, nor do you know how secure they truly are, regardless of whether or not they are using HTTPS.

plaintext is insecure

The fact is, however, that even large legitimate sites are being hacked nowadays which demonstrates that you don't even have to know how to hack an FB account without the password to hack it. Linkedin and Twitter both got hacked a couple of years back so the truth of the matter is that there doesn't exist a "safe" location for your passwords.

The best way to handle this is to use a unique password for every single site you are a member of. This way, even if a site gets hacked it doesn't compromise the other sites you are a member of.

Use a password manager

You might be scratching your head, worrying about having to remember 20 different password now. However, if you use a password manager you won't have to. A password manager is effectively a tool that securely stores your passwords and automatically logs you into whatever website you want to log into. Therefore you won't have to remember a single password. There are a lot of password managers out there, backed by different providers such as Kaspersky etc. Pick the one you like and stick to it.

Keylogging

Keylogging is the practice of logging keystrokes on a computer or smart phone and sending these logs to yourself to access.

How does keylogging work?

Naturally, a keylogger runs as a background process and is thus invisible to the common user. Keyloggers function in different ways but generally they record every keystroke and send a report of those keystrokes to an email every X minutes. Nowadays, a lot of keyloggers are also able to log which program the keystrokes was typed into (eg. a browser) and even what website (eg. www.facebook.com). This means that if you log onto Facebook with a computer that has a keylogger installed, you will effectively send your login username and password to the owner of the keylogger. He can then log in to your account and have thus effectively hacked the Facebook account.

a keylogger is a simple way to hack a Facebook account

The hacker could also ask you to log in to your Facebook account on their computer on which they already have installed a keylogger. The same is possible for mobile phones.

How to protect your Facebook account from keyloggers

If you are logging into your Facebook account from your personal PC then you shouldn't have to worry about getting keylogged. This is of course assuming you have an updated anti virus and haven't been infected by a third party.

If you, however, are logging into your Facebook account on another persons computer then you should definitely be careful since that computer could be infected, knowingly or unknowingly by the owner.

an on screen keyboard

In this case, an on screen keyboard is a great solution that allows you to enter your password just like a physical keyboard would. An on screen keyboard will however not be logged by a keylogger since you enter keys by pressing buttons on the screen. You can access it through windows by pressing the WinKey + R or through your browser (most popular browsers have a built in on screen keyboard).

Hacker Facebook apps

Unlike most other ways to hack a Facebook account that we have mentioned here, this method does not exactly hack the Facebook account by gaining complete control of the account but it does show how to hack someones Facebook messages for free. It generally gives the hacker access to a set of predefined actions such as liking and posting content.

Like most people, you have probably experienced being able to log into a site through your Facebook account. The thing is; you are actually logging in through a third party Facebook app that is not owned by Facebook itself. When you log in through a third party app for the first time, you will generally have to grant the application a set of permissions. These permissions can range from the application being able to view your friend list to posting comments on your behalf.

Here's a list of some of the more common actions that FB applications can be granted:

  • Access your confidential account information
  • Manage your pages
  • Share posts and links
  • Post comments and updates

Of course in general, there are perfectly valid reasons to why an application needs to be able to post comments and updates on your behalf. The issue is however the minority of the applications which request this stuff in order to spam you and your friends.

Imagine this scenario:

You have granted an application the permission to share links on your account. However, unlike what you think, the application starts sharing all sorts of unrelated links on your accounts without you knowing about it. In this case, it might be a method for the application to spread itself to your friends accounts and thus forward.

How you can avoid getting hacked by a malicious Facebook app

Always be aware of which permissions you grant an application. Furthermore, be critical in regards to the reasons why the application needs rights to perform the actions it requests access to.

hacker apps request too many permissions

For example, it seems reasonable that a blogging platform would request access to share links on your Facebook wall (since you might want to share your blog posts on your Facebook wall), however, if a website that asks you to simple use Facebook to login requests these permissions than it might be due to malicious intent. A Facebook application should never request more permissions than those it needs, therefore never grant an app more permissions than you deem necessary.

Remember, you can always revoke the permissions granted in your Facebook account settings. It is generally recommended that you review the permissions you have granted your Facebook apps from time to time.

Rogue mobile apps (Android or iOS)

While most people are very careful about installing programs on their PC, many tend to have a very lax atitude towards installing mobile phone apps.

If a company told you to install their app to get a discount, wouldn't you? And why not - Apple keeps their eyes on them... right?

The truth of the matter is that neither Apple nor Google can investigate every single line of code for every app the allow in their app stores. For this reason, hackers can release apps that steal your Facebook session tokens and transfer them right back to the hacker.

Once the hacker has the access tokens he can inject them in a browser and will not even have to log onto your Facebook account to access it. In fact, all he needs to do is to browse to www.facebook.com and he will be logged in to your account and that is really how to hack someones Facebook account in a simple way.

How you can prevent your FB account from getting hacked by a mobile app

Much like software, you should exercise caution when downloading an app. Here are some pointers which, if followed, should keep your Facebook account secure.

  • Verify that the publisher of the app is really who he claims to be
  • Check the amount of app downloads in the app store. If it has been downloaded by tens of thousands then it is pretty safe to assume that the app is legitimate
  • Check the app reviews as well as the app ratings

Rogue Facebook password hacking software

A lot of hackers release malicious "Facebook hacking software" which they promote as being able hack a Facebook account password with the click of a button. The thing is; the developers are not exactly lying when they claim that they can hack Facebook passwords. The only drawback is the fact that it is YOUR FB password that gets hacked.

How does rogue FB password hacking software work

The software can hack your Facebook password in multiple ways:

  • The software infects the computer as soon as it is run and effectively acts like a keylogger.
  • It asks for you to enter your Facebook username and password to get started, which it then forwards to the hacker
  • Once you run the software, a hook is installed in your browser which monitors your sessions and transfers the cookies to the hacker (this is also known as a stealer)

How you can protect yourself against getting hacked by the software

The simplest way is to simply not download the software at all. In general these tools do not work. However, if you are uncertain then the best thing to do is generally to check out the reviews online. Any reputable Facebook hacker will have a Facebook page with reviews (just like Blue Portal do). Glance through the reviews and see if the overall consensus is that it is a scam or that it actually works.

Our best advice is really just to only use reputable online Facebook hackers like Blue Portal.

Facebook hacks through browser vulnerabilities

A hole in a browser's security is also known as a browser vulnerability. Generally, only older versions of browsers are vulnerable to browser exploits since the browser developers generally patch any issues as soon as they are made public.

Loads of different subcategories of browser vulnerabilities exists and we are not going to explain exactly how each individual exploit works, but we are going to cover a few noteworthy:

Same Origin Policy exploit:

In general, browsers recpect the same origin policy which limits responses to being read from only the same domain as the request came from. However, if a browser was to ignore the policy it would be possible for a hacker to request your Facebook settings page (from any domain) and then read the response and see your recovery email, secret questions, phone number etc.

Cross Site Scripting (XSS):

We will cover this in detail in a later section.

Cross Site Request Forgery (CSRF):

Cross site request forgery is an attack that allows the attacker to execute unauthenticated actions on another web server. For example, an attacker could request an email change of your Facebook account or even send messages to your friends on your behalf. Sites actively combat this exploit by requiring an anti CSRF token for every request.

browser exploits

You can protect yourself against browser exploits by simply keeping your browser updated at all times. This is easy since most browsers update automatically whenever a new update is issued.

Being Tricked Into Cross Site Scripting Yourself

Self cross site scripting (better known as Self XSS) is a method in which a hacker tricks the victim to inject a piece of javascript code in their own browser while having a Facebook tab active and being logged in.

This is generally done by opening the debugging console (press F12), pasting in the javascript and afterwards hitting enter.

self xss exploit

Often times, the hacker promises the victim that by running the code he'll be able to hack a Facebook account, view hidden Facebook messages or whatever else he want to do.

However, the truth is that the only Facebook account that the victim hacks is his own. The way the javascript hacks works varies but generally it steals the Facebook session cookies and sends it to the hackers web server.

Once the hacker has access to your Facebook cookies he can do everything with your account including messaging people, adding friends, changing your settings and making posts on your wall.

Protecting against this FB hack is very easy. Simply never paste anything into your console, regardless of what the third party promises.

How to get into someones Facebook account with a Trojan horse

Trojan horses are malware that can control a victims computer, steal his passwords and see everything that is going on at his computer. Think of a trojan horse as an advanced keylogger. It can steal passwords just like a keylogger but it features an array of more advances features as well.

How a trojan horse steals Facebook passwords

If you have been infected with a trojan horse then everything you do can be seen by the hacker. Whenever you log into Facebook he can view your username and password and even use your IP to log into your Facebook account himself (thus bypassing any IP restrictions from Facebook). For this very reason, a trojan horse is one of the most effective ways to hack a Facebook account since Facebook account restrictions doesn't help.

Obviously, the hacker will not advertise to you that he has installed a trojan horse on your computer. Often times it was installed along with a legitimate piece of software (a software bundle) thus the victim is infected with a trojan horse without even knowing it.

How to protect yourself against a trojan horse

  • Use an updated anti virus with a runtime protection firewall that can stop any malicious software.
  • Keep your anti virus updated at ALL TIMES. This can be done by allowing it to update automatically.
  • Only download software from sources you trust (such as microsoft.com, apple.com etc., adobe.com etc.).
  • Don't blindly trust sites such as Sourceforge etc. Anyone can upload files there; just because the site is trustworthy does not make its files trustworthy.
  • Before running a file, make sure to scan it with a malware scanner. If you want to be extra safe you can use Virus Total.
  • The Java Runtime Environment is essential on any computer but it is also prone to plenty of vulnerabilities. Therefore install every available Java update immediately.
  • Never insert an USB device into your computer from a person you do not trust. Anti viruses have a hard time intercepting malware attacks from USB drives since they are physically inserted into the computer.

It is very important to realize that even if you follow the above tips, you will not be safe. No anti virus is bulletproof and it is relatively easy for a hacker to develop a new piece of malware that is undetectable by malware scanners. Therefore exercise extreme caution whenever you run a program you haven't ran before.

Zero day (0-day) Facebook hacking

zero day exploit

In general, Facebook tries its best to protect its users from being hacked from people who know how to hack into Facebook. However, every now and then a new exploit is discovered that penetates the system since Facebook is unaware of the exploit.

Zero day exploits is the opposite of patched exploits. When a zero day exploit is discovered, it is either reported straight to Facebook (and the hacker is generally rewarded a bounty using the Bug bounty Program).

If the hacker who discovers the exploit is blackhat then he might not want to disclose the exploit with Facebook. In this case he could hack a bunch of Facebook accounts and use them for his own good in order to spam other users and possibly earn even more money than what is being offered in the bug bounty program.

Zero day exploits are quite rare

To be honest there is absolutely nothing you can do to protect yourself against a zero day exploit. Lucily zero day exploits are very rare so zero day hacks are in fact the least of your worries. Facebook are quite experienced in securing their site so newly found exploits generally don't work for too long.