Hack into a Facebook account with a fake passport!

Aaron Thompson is a Facebook user who has exposed an online thief that gained access to his account simply by sending the support team a fake passport to unlock the account.

Thompson spoke about the incident on news site Reddit when he realized that he was locked out of his account as a hacker was granted access to his Facebook account by the social networking company. Facebook later apologized for the same and restored the account back to him.

According to the BBC, the decision to accept the fake ID was a mistake that violated the firm’s internal policies. In fact, Thompson got to know about the entire chain of events that led to the hack through an email from Facebook, headed: “Description of the issue you’re encountering.”

It included this request: “Hi. I don’t have any more access to my mobile phone number. Kindly turn off code generator and login approval from my account. Thanks.” The email, of course, had not been sent by Thompson but by the hacker who did not have access to Thompson’s email address or passwords.

Facebook replied with a message, advising the impostor to send a photo or scan of their ID to “confirm you own the account”. That scanned image was also forwarded to Thompson’s email account with the response: “Thanks for verifying your identity. You should now be able to log into your account.”

After gaining access, hacker removed all the administrators for the sites and sent Thompson’s fiancée some porn pictures.

“It’s blatant harassment,” Thompson wrote on Reddit saying that he was “pretty devastated” when he realized what had happened. It was at this point he picked up the email conversation with Facebook, attempting to inform them that he was, in fact, the owner of the account and that previous emails and the passport ID had not been sent by him.

“Please look further into this, it will be easy to see the account has been hacked. They sent a fake ID to Facebook’s help team to reset the email, and password,” he wrote.

Following the publication of his Reddit post, Facebook restored all his accounts. Thompson later offered the social media giant some security advice.

“This hacker was able to submit this request and hack the profile in four hours, all while I was sleeping. I didn’t even have time to see that someone was requesting this. There was no notification on Facebook, no notification on my cell phone. Given the severity of the theft of information, if someone were to hack into your account, I think Facebook should freeze the account to see if the owner does eventually use the original email or phone number to get back into the account.”

He also pointed a basic fact that if a request comes from a “suspicious IP address that seems unrelated with the normal IP of the account”, it should not be accepted.