How to hack a Facebook account

How to hack a Facebook account or online Facebook hacker are some of the keywords that are searched for most these days. Throughout this (extremely long!) article, I will describe various methods on how a third party could have someones Facebook account password as well as how you can avoid getting your own Facebook account hacked.

I have been the head IT security for a major firm for a couple of years, and in private, people tend to ask a lot of the same questions:

  • Do FB hacking software really exist?
  • Where can I get a free online Facebook cracker?
  • I have forgot my password. Do you know of a Facebook password finder?
  • Can you teach me how to hack someones Facebook password?

Until we developed our patented Blue Portal Facebook Password Hacker, no tool existed that could hack a Facebook account automatically. A quick web search will show you that a lot of sites offer such services, however, I can guarantee you that our Facebook password hacker is the only working one.

Most of the other sites will either ask you to fill out a survey, or even make a payment to some foreign account. Even after doing this, you will still not receive an incorrect username and password since their Facebook hacker really does not work. All these fake services do is waste your time and money and for this reason, our FB password finder only asks you to make a payment once the account has actually been hacked successfully.

If you don't have any money, or simply want to learn how to hack a Facebook on your own then read on; in this article we will explain in detail exactly how to do that.

online facebook password hacker

Before we get into too much detail, it is worth noting that the methods below are somewhat generic which means that they will work for any social media website such as Instagram, Twitter, LinkedIn, SnapChat etc.

It should be noted that this article is strictly meant for educational purposes. We are not responsible for any michief you might do as a consequence of reading this article.

Phishing attacks

One of the most common ways to hack not only Facebook passwords, but passwords in general is by phishing. Phishing is very popular, mainly because it is so easy to set up a phishing page. Furthermore, detecting a phishing attack is getting harder and harder despite the numerous safety efforts done by browsers such as Google Chrome and Mozilla Firefox. For example, complex schemes such as homograph phishing attacks are next to impossible to detect by browsers and users alike.

So... what is phishing?

In simple terms, phishing is the practice of replicating a popular website layout to such a perfection that it fools visitors into thinking it is the real site.
This allows the phisher to steal usernames and passwords from the visitor once he tries to log onto the phishing site with his real credentials.

So, in order to hack specific persons Facebook page, you will first have to design a page that looks exactly like the login page at Facebook, but on a different domain name. For example, you could register the domain name facebook-login.com, facebo0k.com etc. Essentially any domain name that at a first glance looks like facebook.com will work. The whole point of phishing is that the user clicks the phishing link from an email, forum or another media without suspecting anything. He then enters his username and password which is saved in the hackers database. Once the victim clicks the log in button he is redirected to facebook.com and can simply log in again on the real site.

Some people learn better by a practical example:

A malicious hacker who want to hack Alex' Facebook account uploads a Facebook login page to his domain faceb00k.com. The hacker then sends Alex an email telling him that he needs to change his password. The email looks like a legitimate email coming from facebook.com so Alex happily clicks the link in the email that leads to the hackers' phishing page. Once Alex has entered his username and password it gets sent to the hackers email and he can now proceed to log into Alex FB account and do as he pleases.

Now, you might wonder how on earth Alex could have protected himself against the phishing attack. The main thing you can do is to never log into a page that was linked to. If you need to log into Facebook then manually type facebook.com in your browser. This way, you never expose your login details to the hacker since you never typed your username or password onto his site. Of course, this is very annoying in the long run however it is the best approach to protect your FB account against phishers.

You can also check the domain name of the URL to manually verify that the site is actually the one it pretends to be. This is generally a safe method as well, however advanced attacks such as homograph attacks will still fool you in this case.

Below, we have shown pictures of a couple of Facebook phishing sites, check them out and see if you can spot the differences between those and the real site.

facebook phishing attack

Even though the above site has an SSL certificate, it is not authentic. People often confuse a site having an SSL certificate with it being authentic. Obtaining an SSL certificate these days is very easy as several services such as CloudFlare provide them completely free of charge.

While this URL does not contain HTTPS, it still looks very similar to the real Facebook domain.

This article is a work in progress, therefore we will gradually update it with new hacking methods so stay tuned.

Social engineering

This is yet another extremely popular and powerful method for hacking Facebook accounts. What makes this technique especially dangerous is the fact that it requires little to no technical knowledge. Any average Joe will be able to perform social engineer for FB account hacking at a basic level.

social engineering is easy on Facebook

Basically, social engineering is the the technique of collecting as much personal information about the person behind an account as possible. Common details are stuff such as the date of birth, maiden name and cities whom the target has lived in; however more specific information is also collected such as the first pet name, the favorite highschool teacher, the favorite book etc.

So how does social engineering work?

Nowadays, the vast majority of websites include the option of resetting the password of the account in case the owner forgets it. In order to recover the password, the person needs to answer a question about a personal detail such as the ones previously mentioned. Naturally, only the account owner is supposed to know this but if a third party gets hold of this information then he/she could effectively hack the Facebook password of the targets' account.

How to make up a good security answer

Having a secure security answer is as important as having a secure password. Don't use information that is publicly known such as the city you were born in or your mothers maiden name. Hackers can look up this information online and thus reset your password. Additionally you might want to enable login alerts which can be activated through the Facebook security settings which will alert your through phone or email whenever an unknown user logs into your Facebook account. Furthermore, Facebook have recently introduced the option of choosing friends to help you log back in. In case you forget your password you can contact these friends and ask for their special codes which in turn can be used to log back into your account.

Password recovery by using Facebook friends

Do not use weak or obvious passwords

Security questions are only one aspect of social engineering. Another aspect is the password itself. Even if the hacker cannot guess the answer to your security question he might be able to guess the password of the account itself and therby "hacking" the Facebook account simply by logging in.
Just like the security answer, the password should be hard to guess and not include obvious details such as your birthday, your name, your favorite sports team etc. Keep in mind that information like this is extremely easy to look up on Facebook so you have to be extra careful when securing your account from Facebook password crackers.

How to hack a Facebook account through a third party

While it isn't impossible to hack a Facebook account, it certainly is cumbersome. Therefore, if you are already a skilled hacker then you might be better off targeting a third party website that the target is already a member of. Your best option is to target a poor quality website since they tend to not sale or hash the passwords and simply store them in plaintext in the database.

passwords stored in third party databases

The reason why this often works is due to the fact that the vast majority of internet users tend to reuse the same password for all their online accounts. Thus, if you can hack the password which the target used on a third party site then it is very likely that you just got the password of the victims Facebook account as well.

In order to find other sites that the target is using, try searching on Google for their name, interests or local communities that he/she might be a member of.

Creating your own third party decoy

If you were unable to find/hack any third party sites that the victim is a member of, you might be better off creating your own third party website. If the target is interested in horses, create a local horse forum/community and invite him to join. Most likely he'll join and use his Facebook password to sign up. Now, simply look in your sites database and grab the password he signed up with and try logging onto Facebook by using it. If you're in luck, it will work and you have effectively hacked a Facebook account.

How to protect your Facebook account against a third party hack

The first rule of thumb is to never trust low quality websites. You don't know who owns them, nor do you know how secure they truly are, regardless of whether or not they are using HTTPS.

plaintext is insecure

The fact is, however, that even large legitimate sites are being hacked nowadays. Linkedin and Twitter both got hacked a couple of years back so the truth of the matter is that there doesn't exist a "safe" location for your passwords.

The best way to handle this is to use a unique password for every single site you are a member of. This way, even if a site gets hacked it doesn't compromise the other sites you are a member of.

Use a password manager

You might be scratching your head, worrying about having to remember 20 different password now. However, if you use a password manager you won't have to. A password manager is effectively a tool that securely stores your passwords and automatically logs you into whatever website you want to log into. Therefore you won't have to remember a single password. There are a lot of password managers out there, backed by different providers such as Kaspersky etc. Pick the one you like and stick to it.

Keylogging

Keylogging is the practice of logging keystrokes on a computer or smart phone and sending these logs to yourself to access.

How does keylogging work?

Naturally, a keylogger runs as a background process and is thus invisible to the common user. Keyloggers function in different ways but generally they record every keystroke and send a report of those keystrokes to an email every X minutes. Nowadays, a lot of keyloggers are also able to log which program the keystrokes was typed into (eg. a browser) and even what website (eg. www.facebook.com). This means that if you log onto Facebook with a computer that has a keylogger installed, you will effectively send your login username and password to the owner of the keylogger. He can then log in to your account and have thus effectively hacked the Facebook account.

a keylogger is a simple way to hack a Facebook account

The hacker could also ask you to log in to your Facebook account on their computer on which they already have installed a keylogger. The same is possible for mobile phones.

How to protect your Facebook account from keyloggers

If you are logging into your Facebook account from your personal PC then you shouldn't have to worry about getting keylogged. This is of course assuming you have an updated anti virus and haven't been infected by a third party.

If you, however, are logging into your Facebook account on another persons computer then you should definitely be careful since that computer could be infected, knowingly or unknowingly by the owner.

an on screen keyboard

In this case, an on screen keyboard is a great solution that allows you to enter your password just like a physical keyboard would. An on screen keyboard will however not be logged by a keylogger since you enter keys by pressing buttons on the screen. You can access it through windows by pressing the WinKey + R or through your browser (most popular browsers have a built in on screen keyboard).

Hacker Facebook apps

Unlike most other ways to hack a Facebook account that we have mentioned here, this method does oot exactly hack the Facebook account by gaining complete control of the account. It generally gives the hacker access to a set of predefined actions such as liking and posting content.

Like most people, you have probably experienced being able to log into a site through your Facebook account. The thing is; you are actually logging in through a third party Facebook app that is not owned by Facebook itself. When you log in through a third party app for the first time, you will generally have to grant the application a set of permissions. These permissions can range from the application being able to view your friend list to posting comments on your behalf.

Here's a list of some of the more common actions that FB applications can be granted:

  • Access your confidential account information
  • Manage your pages
  • Share posts and links
  • Post comments and updates

Of course in general, there are perfectly valid reasons to why an application needs to be able to post comments and updates on your behalf. The issue is however the minority of the applications which request this stuff in order to spam you and your friends.

Imagine this scenario:

You have granted an application the permission to share links on your account. However, unlike what you think, the application starts sharing all sorts of unrelated links on your accounts without you knowing about it. In this case, it might be a method for the application to spread itself to your friends accounts and thus forward.

How you can avoid getting hacked by a malicious Facebook app

Always be aware of which permissions you grant an application. Furthermore, be critical in regards to the reasons why the application needs rights to perform the actions it requests access to.

hacker apps request too many permissions

For example, it seems reasonable that a blogging platform would request access to share links on your Facebook wall (since you might want to share your blog posts on your Facebook wall), however, if a website that asks you to simple use Facebook to login requests these permissions than it might be due to malicious intent. A Facebook application should never request more permissions than those it needs, therefore never grant an app more permissions than you deem necessary.

Remember, you can always revoke the permissions granted in your Facebook account settings. It is generally recommended that you review the permissions you have granted your Facebook apps from time to time.