How do Facebook Hacks lead to Identity Theft?


There has been lots of attention paid to Facebook, and possible links to identity theft, over the past year.  Facebook now claims a Billion (with a B) users worldwide, and each of us users puts forth a greater or lesser amount of information about ourselves in our postings to Facebook.  And, each of us do a better or worse job of understanding the Facebook privacy settings, and how they may affect the distribution of our information.  One point to consider is that I doubt there is another single location of personal data anywhere that will give a criminal potential access to 1000 million user identities.  What this means to the criminal is that any effort they expend to design a working exploit can then be used successfully many, many times.  Facebook is a big target, and worth the effort, in other words.

First, please understand for your own benefit, that hacking a Facebook account is a crime.  California Penal Code 530.5 makes it a potential crime to unlawfully access a victim’s account to produce changes to the account, including profiles, comments, and other information posted by the owner.  This law also makes it a crime to obtain personal identifying information of a person and then use that information to obtain services, property, or other benefit (identity theft).  Many other states have similar statutes.  So, changing your friend’s Facebook profile because you happened to become privy to her password may have consequences far more costly than expected.  Keep in mind that your access and modification of her profile is potentially a criminal offense, not a civil offense.  So, both access/modification and use of information found on her Facebook profile may result in criminal charges against you.

Now, assuming you are not going to be the hacker, what ways can your personal FB information be compromised to an identity thief?  Here are some of the exploits that are used:

  • First, realize that each person you “friend” now obtains access to significant information about you, as well as ability to interact with you in a manner that may make exploits against you possible.  Just because they are a “friend of a friend” does not mean that person is somehow legitimate to be your friend.
  • Malware injection is that procedure where a “friend” in some way convinces you to click a link, or run a program that installs malware on your computer.  Your computer and possibly your FB account can now be partially controlled by external users, and they will use this control to send spam, advertise illicit products, or otherwise interact with your friends list.
  • Linkjacking is a Facebook threat where the account is hijacked in a manner that allows the thief to “message” other users with viruses, ads, links, etc.
  • Social Engineering is common on social networking sites, and a common outgrowth of the spread of your personal information.  It is human nature to be more likely to respond to an email when the sender includes information that shows they know a lot about you.  A phishing email sent to you that gets you to respond, and compromise your security, is just much more convincing when it appears that the sender knows you in some way.
  • Account Access – Criminals obtain access to FB accounts using brute force tools to guess the password, or using credentials you have compromised.  Regardless of how it’s done, the criminal now has access to your friends list, and an authentic cyber identity that can be used for cons, scams, and other exploits, all based upon the fact that the targets would not expect that of you.
  • Cloning – It is often far too easy to collect images and other information from your FB user profile in order to create a new FB account that is similar in many ways to you current account.  Then all those appearing on your friends list are sent a new invitation from the clone account, and some of those will reply, due to the familiarity of the images and information.  They are then open to use of their own information by the criminal.

The list above is not intended to be comprehensive, but just to show that criminals do want your information, and will use it in many ways you probably have not imagined.  It is important to protect your user credentials, limit your friends to those you really do know, and be suspicious of links, games, and other enticements which may be links to security problems.  Clicking that link to the “Hot Blond Pole Dance” might be an expensive trip.


Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Rex Davis

Rex Davis is the Director of Operations at the Identity Theft Resource Center. He has spent the last five years with the ITRC and his area of expertise is Information Security. Creating public awareness of identity theft and cyber security risks is his passion.

1 Response

  1. Carrie Wagner says:

    Apparently, binary options is an all or nothing investment. I realized this after losing my gratuity invested with CTOptions. After a series of research and consultations with friends and families..I came across JIMFUNDSRECOVERYat CONSULTANT COM who helped me recover almost 95% of the loss. I am excited to share this now that I have my money and also to help other Victims recover their funds too. You can contact them through their mail above..

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.