Colas.Nahaboo.net - securityColas Nahaboo personal site, with discussions about programming code, web and computing topics, surfing and SUPing, and various musings.Zola2026-04-28T00:00:00+00:00https://colas.nahaboo.net/tags/security/atom.xmlI recovered my Facebook account, read how2026-04-28T00:00:00+00:002026-04-28T00:00:00+00:00
Unknown
https://colas.nahaboo.net/blog/i-recovered-my-facebook-account-read-how/<h2 id="what-happened">What happened<a class="zola-anchor" href="#what-happened" aria-label="Anchor link for: what-happened">🔗</a></h2>
<p>On 2024-10-24, <a href="https://colas.nahaboo.net/blog/my-facebook-account-has-changed-hacked/">my Facebook account was hacked</a>. Alas, Facebook did not allow me to get back my account, or even report the account as compromised, without entering the current password that whad been changed by the hackers. So I had to create a new account, and moved on.</p>
<p>However, I recently created a test account on Instagram, to try to generate RSS feeds to follow Instagram accounts more comfortably via my RSS-Bridge. And I was surprised to see that my "new" account was in fact the account of another user that had been blocked, then unblocked.</p>
<p>This prompted me to try to re-log into my old Facebook account and... it worked! <strong>I was able to reset the password</strong> without knowing the current one.
I thus will remove the new account after some time.</p>
<h2 id="nice-but-why">Nice, but why?<a class="zola-anchor" href="#nice-but-why" aria-label="Anchor link for: nice-but-why">🔗</a></h2>
<p>But looking a bit (for instance about <a rel="noopener external" target="_blank" href="https://riskbasedauthentication.org/state-of-practice/">Risk-Based Authentication (RBA)</a>, it appears I was lucky to try to re-use my account just days after a 6 month delay: Facebook relaxes accounts the security measures 6 months after a detected suspicious activity!</p>
<p>The behavior I experienced — being blocked from recovery despite having valid contact info, followed by a sudden "opening" of access — is apparently a documented pattern in Facebook’s security ecosystem, notably their <strong>automated risk assessment</strong> procedures.</p>
<h3 id="the-security-freeze-why-i-was-stuck">The "Security Freeze" (Why I was stuck)<a class="zola-anchor" href="#the-security-freeze-why-i-was-stuck" aria-label="Anchor link for: the-security-freeze-why-i-was-stuck">🔗</a></h3>
<p>When a hijacker changes a password, Facebook’s "Trusted Device" and "Location" protocols often trigger a lock. Even if my email and phone were correct, Facebook may refuse a reset if:</p>
<ul>
<li>I cannot provide the current password, aka <strong>The "Current Password" Requirement</strong>. This is a common defensive measure when Facebook detects a "conflict of ownership." If the system sees two different locations (mine and the hacker's) trying to claim the account, it often demands the <em>current</em> password to prevent the owner from being "kicked out" by someone who isn't actually the owner. Needless to say, this is a really bad design, as hackers first move is to change the password.</li>
<li>I use another browser. As I tried many ways to recover my account, I also tried to use another browser on another machine, to start afresh. But this failed Facebook <strong>IP Reputation</strong> detection: Seeing I was trying to recover the account from a network or device the system didn't "trust" at that moment, it applied the most restrictive recovery path to the account.</li>
</ul>
<h3 id="why-it-suddenly-worked-the-6-months-cooldown-period">Why it suddenly worked (The 6 months "Cooldown" Period)<a class="zola-anchor" href="#why-it-suddenly-worked-the-6-months-cooldown-period" aria-label="Anchor link for: why-it-suddenly-worked-the-6-months-cooldown-period">🔗</a></h3>
<p>Nothing is actually officially documented, but here is the likely scenario:</p>
<ul>
<li><strong>Risk Score Decay:</strong> After 6 months of inactivity (or if the hacker eventually triggered a "Security Lock" that made the account go dormant), the "Risk Score" associated with the account drops.</li>
<li><strong>Account Dormancy:</strong> Facebook often flags accounts that have been compromised as "checkpointed." After a certain period of time without successful logins from the hijacker, the system may lower the threshold for recovery for the <em>original</em> owner, especially if he are using a device or IP address that was associated with the account for years before the hack.</li>
<li><strong>The "Verification Reset":</strong> Facebook occasionally clears the "verification debt" on accounts. If the hacker was blocked by Facebook’s automated systems (e.g., for spamming), the account enters a state where the next person to provide valid 2FA or email confirmation is granted access without the "current password" hurdle.</li>
</ul>
<p>All of this is totally automated, with no human intervention, by the system's <strong>"Identity Verification"</strong> logic resetting itself after a period of dormancy. Once the "Pirate" was no longer active, the system stopped viewing my recovery attempt as a "hostile takeover" and allowed the standard email/phone reset to work.</p>
<h3 id="summary-of-known-behavior">Summary of Known Behavior<a class="zola-anchor" href="#summary-of-known-behavior" aria-label="Anchor link for: summary-of-known-behavior">🔗</a></h3>
<table><thead><tr><th style="text-align: left">Stage</th><th style="text-align: left">System Logic</th><th style="text-align: left">Result</th></tr></thead><tbody>
<tr><td style="text-align: left"><strong>Initial Hack</strong></td><td style="text-align: left">High-conflict state; system protects the "active" user.</td><td style="text-align: left">Recovery denied despite valid email.</td></tr>
<tr><td style="text-align: left"><strong>The 6-Month Gap</strong></td><td style="text-align: left">Account goes dormant or hacker is "checkpointed."</td><td style="text-align: left">Security tension on the account relaxes.</td></tr>
<tr><td style="text-align: left"><strong>Recovery</strong></td><td style="text-align: left">System recognizes you are the owner IP/Location and valid contact info.</td><td style="text-align: left">Password reset allowed without "Current Password."</td></tr>
</tbody></table>
<h3 id="what-to-do-once-the-account-is-recovered">What to do once the account is recovered<a class="zola-anchor" href="#what-to-do-once-the-account-is-recovered" aria-label="Anchor link for: what-to-do-once-the-account-is-recovered">🔗</a></h3>
<ul>
<li>Check the Settings for <strong>"Saved Login"</strong>, <strong>"Where you're logged in"</strong>, and <strong>"Apps and websites"</strong> immediately. Sometimes hackers leave a "backdoor" by authorizing a specific browser or app that doesn't require a password.</li>
<li>Change the password, enable 2FA (Two-factor authentication).</li>
<li>Remove all apps connected to the account.</li>
<li>Check other sites that authorized logins from this Facebook account, change their passwords andf look for suspicious activity.</li>
</ul>