Someone has hacked my email account via Facebook! And I can’t fix it!


Facebook has been giving me some serious security problems lately! And IT’S NOT EVEN MY FACEBOOK ACCOUNT!!!!

Short Version:

Someone has used one of my email addresses as an alternate in their Facebook account.
Facebook actually allowed them to do that!
Because of whatever Facebook did and/or didn’t do in their systems, I could actually login to the culprit’s facebook account via my Yahoo account!
But now the other Facebook user has once again changed my email’s password, and I can’t login to my Yahoo email again!
Nor can I contact Facebook to get them to correct it!

———

Long Version:

I have a number of email addresses that I’ve used over the years. A few I got in 1998 or earlier and I use them occassionally. One is a Hotmail account. The other is a Yahoo account.

This Yahoo account is important. It’s the same account that I’ve used for booking some airline flights.

The other day I went to login to this Yahoo account. But I could not. I knew that my password was correct. I was able to change the password online with Yahoo’s tools and security.

When I logged in, I saw a whole bunch of emails from Facebook. For a Rodger V.

Now, for some reason, when I was in my Yahoo account, I was actually able to login to Rodger V’s Facebook account!!!! Just like that!!!! Great security huh!

Now I’m not a malicious kind of guy. But I did want an end to this nonsense. So, I went into his Facebook preferences, and tried to remove MY email address from his alternate email. And set his email, as the main and only email.

But no matter what I did, MY Yahoo email address remained in his preferences.

So I then tried on different systems; Redhat Linux, and on Windows, using different browsers. But my email address just wouldn’t leave this guy’s account.

The next day, I found that I could not login to Yahoo account again. According to my Hotmail account that is associated with the Yahoo account, the password was changed again. Obviously, Rodger V logged in, and changed my Yahoo password, via Facebook!!!

———

Just what is going on here!!!??

Don’t you think that if you were to put an alternate email in your profile, that you would have to login to that account directly, with that account’s password, and confirm it??? Obviously, that isn’t being done.

I can’t think of any other place, where this is not the case. If you put an add on Craigslist, using an email address, you have to go to that account, using the proper password, and confirm the ad. It’s simple and effective for security. Others then can’t put up ads in your name and do damage or abuse.

And why can someone login to Facebook, from a Yahoo account that is not confirmed yet? Who thought of that stupidity???? Or perhaps there was no thought put into any of the consequences of what they were doing. (See so many articles I’ve written all over my blog on these issues: analysis, design, architecture, error trapping, and so on, that touch on these subjects.)

And, why can’t this email address be simply and effectively removed from the preferences???? In retrospect, I suspect that perhaps Rodger V also could not remove my email address from his preferences.

Adding or removing an alternate email address, is something that I’ve seen on other websites. It’s not a difficult concept. So why is it sooooo difficult for Facebook?

And why can the Facebook user, then change my Yahoo account’s password??? Why is Yahoo allowing the password to be changed via Facebook???

What’s wrong with standard practice?? That is, when you want to go to Facebook, you login to Facebook. Not go to Yahoo, to get to your Facebook.

———

Now, if all this is not bad enough, I’ve been trying to contact Facebook to deal with the issue. I went to report a bug. This clearly needs to be addressed by an engineer. Not the usual first line “customer support” people, who can barely read or understand what you have written and what the issue actually is.

But after a number of minutes and many mouse clicks, looking through Login Bugs, I could not report a bug. It was the usual “figure it out yourself” crap. Lots of FAQ. But no obvious way to report a bug.

Really, when I want to report a bug, I want to report a bug. Now. It’s really quite simple. How can Facebook make something so simple, soooo complex?

———

What really makes me angry is that none of this is any fault of my own. And perhaps, it is also just a simple mistake of Rodger V., and he is frustrated too.

But it affects me. I’ve spent a few hours now trying to “figure it out yourself” and solve it. But still no resolution. So now, I’m spending more time bringing the issue to light.

Don’t you think we should be allowed to sue Facebook and other websites for wasted time like this? I mean really quickly and effectively, not getting dragged out in the courts, and requiring expensive lawyers.

Do you think that if companies were actually liable, with real and actual dollar costs, that they would put more thought and bulletproofing into their websites if that was the case??? I’ll bet they would.

Right now, I see little or no consequence to these corporations having websites that screw up, waste the user’s time, waste the public’s time, compromise their security, or even cost them actual out of pocket expenses. Hey, it doesn’t cost the corporation anything. So they are not motivated to do anything.

But this issue, and others, are certainly costing ME time and energy. I sure hope it doesn’t move into identity theft or other aspects with real dollar costs.

———

Does anyone know how to contact Facebook so they can get with the program? That is, in one URL mouse click? Or email address? If anybody knows any technical people at Facebook, please forward this post to them.

Facebook engineers, if you are reading this, please respond WITH A PROPER EMAIL ADDRESS AND PHONE NUMBER so that I can send you the details of my compromised Yahoo account and the offending culprit, Rodger V.

Thanks a lot!

2 Responses to Someone has hacked my email account via Facebook! And I can’t fix it!

  1. Nah says:

    Did you click on the links in the emails? If so, you might be the victim of a phishing attack. Ex – the emails that were actually not from facebook. Clicking on their links redirected activated urls to reset your Yahoo password (which they could only do because you were already logged in). They then redirect you to facebook, so you don’t notice what happened.

    This wouldn’t have anything to do with Facebook. Or with Yahoo.

    If you have found a problem with their login systems, I’m sure you’d be able to reproduce it. Were you able to? If so, go ahead and post it somewhere where it will get more attention. I’m sure that will get the problem fixed and give you some fame.

    • rodgersnotes says:

      Here’s an update three months after I first wrote this.

      I tried many ways to contact Facebook. Tech support. Nothing for this issue. And only bots responding. Sent letters. Nothing. Even tried calling them on the phone. Turns out they have all kinds of systems to NOT communicate with people. If you don’t know the extension, you can’t talk to anyone! Not even the receptionist.

      I finally found someone who works in Facebook security via Linked In, and emailed his personal account.

      He responded, but I don’t think he did any real investigation. As in, actually looking at the other Rodger’s account to verify if what I was saying was true. Or, searching for my Yahoo account in Facebook’s database. I’ve worked fixing systems for a long time. That’s one of the first things I would do.

      He did ask me to verify that I was the owner of the Yahoo account. I went through the procedure again, to get my password back via my Hotmail account. Then sent him an email from it.

      So far, so good. I can still login to my account.

      As for your thought, “Did you click on the links in the emails?” No.

      I did search for an initial email like the one you mention. Nothing. The emails started in January. Notifications on what was happening in the other Rodger’s Facebook account. But no initial email with a link to click.

      I’m also highly aware of phishing attacks, and forward them frequently to the legit companies.

      I really would like to know: What do the Facebook logs say? Can anyone at Facebook investigate?

      I suspect that after I had emailed the other Rodger, he took my email out of his FB account. But didn’t tell me. If that’s the case, I wish he would have.

      What an incredible waste of my time!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: