How I hacked your Facebook account

Posted by



Imagine someone got on the loudspeaker at the Denver International Airport and started yelling out over and over again, “my Facebook username is Johnny@gmail.com and my password is jerky123″.

Now the next day when everyone in their mom logged into his account, he would claimed he got hacked. But did he?

Guess what. Every time you are using a public wifi network, password protected or not, you are shouting to the world your username and password to every website you use that is unencrypted.

Right now, as I write this, I am sitting in the denver airport. Its pretty much dead right now. I can see maybe 100 people in the entire terminal.

I just fired up FireFox with the FireSheep extension. Within seconds I have access to various peoples Gmail, Facebook, Yahoo, Hotmail. Amazon, Hotmail, and virtually every possible service known to man.

Keep in mind FireSheep is just a Firefox plugin (Google it) that has been downloaded millions of times. This plugin is totally passive network monitoring at its easiest. Its been pre-programmed to sniff for certain usernames of passwords for pre-defined sites.

There are TONS of tools that will show you a lot more stuff.

As you can see here I accessed someones Facebook account… read some messages. Its great for passing spare time:

Google accounts are just as easy to get into using the brainless Firesheep extension. I don’t ever do anything malicious… Just maybe set people’s search results to Vietnamese or something:

If you are using a public network of any kind, wifi or not, expect many people see everything you are doing.

You didn’t just get hacked. You are yelling to anyone that can hear you your username and passwords.

So how do you become more secure? Well for starters you should always tunnel your traffic through a ssh connection, vpn, or another secure method.

But I know 99.9% of my readers probably don’t know what a VPN is much less will be able to configure one.

So lets start with the basics.

To make your Gmail account secure change this setting:

To make all your Google Searches secure use this – https://www.google.com (I set it as my homepage).

To make your Facebook surfing secure change this setting in your account preferences:

:

Any place you are not using https:// in the front of the url you are at you should expect everyone is watching what you are doing.

Keep in mind this was at a airport where nobody was using computers….

Imagine what I see at a internet conference…..

119 thoughts on “How I hacked your Facebook account

  1. Tina Lindgren

    Hi
    What a great article. I will go change my settings
    right now.
    It just gets worse and worse with identity stealing, just as it did with
    viruses and spyware… we’ll probably end up loading a ton of protection software
    before we can proceed with our daily tasks…

    Keep up this great blog – I love it :-)

    cheers
    Tina

    1. E.c

      Hi my Facebook account just got hacked and the email address have been changed also. Can anyone help to advise on how to have my acct deactivated to ensure these evil bastards do not wreck havoc using my account? This is damn frustrating. I really need help

    2. Jen

      This is scary stuff. I’m going to change my settings as well. (Imaging everyone knowing what I did!) Thanks for this!

  2. dave

    That’s interesting that you say that because I feel there has been a TON of people sending emails/facebook posts about being hacked. I feel like one girl sends the message out every single month.

  3. Hotdogman

    Evil evil stuff. This is why I don’t like public networks. If you had larceny in your heart, you’d be dangerous!

    BTW you just publicly violated Facebook’s TOS 3.5: “You will not solicit login information or access an account belonging to someone else.”

    I won’ t tell….

  4. Harry

    Hacking is defined as unauthorized usage. You don’t have authorization to access these people’s accounts. Easy or not you have just admitted to the entire world that you have broken the law and have hacked these people’s accounts.

    Yes the passwords and session data are being broadcast in plaintext, but admitting to using them seems a bit crazy. It is 100% illegal.

    1. Liam

      In computing, a hacker is a person in one of several distinct (but not completely disjoint) communities and subcultures: * A community of enthusiast computer programmers and systems designers, originated in the 1960s around the Massachusetts Institute of Technology (MIT)’s Tech Model Railroad …
      en.wikipedia.org/wiki/Hacking_(computing)

    1. Skrull

      If you learn enough about someone, you can learn their security question answer (hometown, street they grew up on, first pet, etc)

      1. Goldfish

        Which is precisely why you should always give nonsense answers to those security questions. My hometown? The moon. Street I grew up on? Sunflower seeds. First pet? Tyrannosaurus rex named Tevevision. Mother’s maiden name? Awesomesauce. It’s easy to find facts. It’s not so easy to guess nonsense. ;)

  5. Vivek Parmar

    Already using these settings and Google 2 step verification enabled but only thinking to safe my facebook account. Using https but when you have to access any aaplication you have to change back to http. this is something where i have to take care of it

  6. sundeesh

    while reading this article my url on the top begins with http:// and not https:// how to avoid this ? :D

    wounder if it should be https:// on all the pages i visit while browsing different website daily.

    1. Ashish Patel

      you are not exposing any personal information such as password or anything important here. so i don’t think every website needs ssl or https to be secured. :)

  7. Trent

    Wow thanks for the heads up on that! I consider myself to be very internet savvy and I had no clue this was so easy.

  8. OJQ Jeff

    This is hilarious, I constantly amazed how lackadaisical people are with there private information. Hopefully this wakes a few people up !

  9. Alexander | Legit Make Money Online

    Thanks so much for sharing this information. I definitely went in and changed all my account settings as soon as I read this. I’ve never felt safe on public wifi networks, but I had no idea it was this easy. I’m a little curious to try this, but it’s also kinda scary that you don’t know who could be watching your every Internet move!

  10. Lovey

    Note that certain applications take you away from https! They do tell you when you click them. What they do NOT tell you: The change your standard setting! So next time you enter facebook, you are back on http! So chech the url regularly, if you want to stay safe!

  11. Korak

    Facebook’s coming integration to payment solutions makes this issue much more serious for their accounts. Smart sniffers are building up lists of user/pass info now and waiting patiently for when they can do something useful with it.

  12. John Tucker

    It is scary what people can find out about you on public wifi, considering it is so easy to protect all that information. I use soke software called Remobo on my laptop that creates a instant private network. Then using a simple proxy server on my home computer I route all the traffic through Remobo to my home proxy. Every thing is then encrypted. Works for me anyways. Better to be safe than have someone get my info.

  13. Garrett

    Shoe,

    Can you explain how you/Firesheep is able to pickup usernames/pws from gmail, amazon, yahoo, and hotmail? When I visit those sites and attempt to login it appears that I’m on an https connection…

    Gmail.com: redirects to https sign-in page automatically
    Hotmail.com: redirects to https sign-in page automatically
    mail.yahoo.com: redirects to https sign-in page automatically
    Amazon.com: is http by default, but redirects to https sign-in page if you click “Sign-in”

    I was under the “assumption” that sending a user/pass via an https sign-in page was secure. So, I’m curious how you’re picking these up. Perhaps you’re getting people that are cookied, have pws saved in browser, and are just getting auto-logged-in when they visit these sites?

    Would be cool if you could shed some light on this b/c I don’t want to be seeing Vietnamese search results or have a goatse Facebook avatar after the next Pubcon. :p

    1. Andrei Buiu

      He didn’t get any passwords…he is just a show off…firesheep doesn’t GET the passwords, it hijacks the session cookie between you(the browser) and the site(for example facebook). The cookie DOESN’T CONTAIN THE PASSWORD… so please Shoe, explain to me how did you get the password using firesheep

    2. Mark

      lol.. I haven’t heard the term goatse mentioned for years. You certainly wouldn’t want someone throwing that up on your profile.

  14. Bryan

    Wow – Never even really put any thought into this issue before. Although I don’t access a lot of public wifi hotspots often, this is helpful in the future (considering more and more locations are getting wifi – it’s nearly everywhere these days).

    On another note, I bet you had a heyday passing time this way, eh? :)

  15. Will

    Hacking is illegal. I would remove this post right away as you have admitted on a public blog to hacking other peoples accounts. You are making the problem worse by telling others how to replicate the hack.

    An irresponsible post.

  16. Ty Wagner

    This is a great post Shoe and something that would save people like myself that forgets about this security issue sometimes. Especially as an internet marketer you always wan’t your privacy and internet connection secure and free from prying eyes and hackers.

  17. Robert

    You said
    “Just maybe set people’s search results to Vietnamese or something”

    Wondering why you felt the need to do anything at all? That little prank might be a big deal for a newbie that may lose hours of productive time trying to figure out what the hell happened.

    Just because you can, doesn’t mean you should.

  18. Jacmo

    Great reminder and article. We develop a false sense of safety and security. I’d never heard of that plug in either. Will make me think twice over public networks. Thanks.

  19. Jessica S

    Not for nothing but yes it is stupid to log into public networks with key information. That said you opening those people’s profiles and emails that are not yours is most certainly hacking. You could have written this same article without breaching people’s privacy. I have to say I have been following you a long time and found this pretty surprising.

  20. Al Eddy

    Just found your website last night and I got to say LOVE It. keep up the great work right now iam going to go get firesheep.

  21. Brian T. Edmondson

    Jeremy,

    I’m surprised at how few people know about this.

    Once I learned about it, I added the ability to make my cell phone a wifi 4G hot spot and never use public wifi’s at airports (and even hotels) to connect to the internet.

    I can only imagine what you can find at Internet conferences!

    Brian

  22. Rob Woods

    If you want to help protect yourself against Firesheep go and download Blacksheep from Zscaler. It will detect if someone is tryng to hack you using Firesheep. Also follow the advice above. In addition to Facebook and Google I’d recommend setting your Twitter profile to use https as well.

  23. blackhathacker

    This is like so fuckin’ noob…If I use something like BACKTRACk, there’s no way you’re gonna protect yourself and agian backtrack is just the beginning! Hacking tools we linux pros develop are 1000 times better than that stupid firefox plugin!

  24. Arbeit

    Yeah shure – theare many ways around this, not only the plugin, also there is a vpn you can buy, so your whole traffic is encrypthed, if you are in affiliate marketing, it can safe you lots of money to buy one of these

  25. Imran

    Does it work when the victim is in a different other than my network? If yes, then it’s ok. But if it doesn’t work then what should I do to hack that victim’s password?

  26. lyndon

    Outstanding – I ought to certainly pronounce, impressed with your site. I had no difficulty navigating by indicates all the tabs also as linked info ended up being genuinely simple to accomplish to accessibility. I lately discovered what I hoped for ahead of you understand it whatsoever.

  27. Ann's Life Quotes

    Major food for thought here……. Thanks you very much Jeremy for bringing this to our attention. I spend a lot of time in public places on wifi and I cringe at the thought that someone has been “watching” me? Just changed both my Facebook and Gmail settings as instructed. Feel a bit better now. Would there be any other things people could get access to this way? Such as internet banking?

  28. Don Lawrence

    Why would anyone care about their Facebook account being hacked? What have you got hidden there? What your lame friends are saying about their noneventful lives? Hack away…

    1. christine

      Hi Folks — hoping someone here can help me. My son’s crazy ex-girlfriend has hacked into BOTH his FB and his email. His email address is attached to his FB account, and she has changed everything so HE cannot access HIS FB account, nor can we figure out how to fix the problem because she changed the email addy attached to his FB, so doing a password reset isn’t feasible — it would just send the information to the email she has set up for his account. I tried to report as hacking in FB, but have the same issues – it will just send an email to HER. Shame on him for giving her his passwords in the first place……you’re an idiot when you’re that young and “in love”. Hahaha. Sure appreciate help from anyone out there……..cheers.

  29. Audiobook Online

    I try to keep away from public networks whenever possible but didn’t realise it was that easy for my details to be given to all and sundry.

    Thanks for the info – it’s actually pathetic that we have to live our lives worrying about this sort of crap.

  30. Irfan Baig

    Hey any one hack a facebook page for me? page got 6000 fans

    if you can get it banned / deleted in any way ( through bulk report abuse etc ) i can give you 50 $

    & if you transfer the admin i will pay you 100 $. ( also tell me how many days i will remain the admin )

    If you cant do this work freely tell me you cant do as i will pay you when you got the work done.

    Also tell me how i will pay you?

    Thank You

  31. Facebook password hack

    Hi, i think that i noticed you visited my site thus i got here to go back the favor?.I am trying to find things to enhance my website!I guess its adequate to make use of some of your ideas!!

  32. Mike Benton

    Thanks for this info-you probably saved hundreds of people from having their 411 hacked, me included. I’m going to change my own Google settings now, too, as I often use WiFi at my daughter’s gymnastics practice. Thanks again!

  33. cnotte

    Can u only download firesheep with pc or can it b done without pc iv been trying to get this addon for a minute plus winpcap but get anything done with my maxx tks

  34. לקנות לייקים

    I’d like to thank you for the efforts you have put in writing this site. I’m hoping to view
    the same high-grade blog posts by you later on as well. In truth, your
    creative writing abilities has encouraged me to get my very
    own blog now ;)

  35. im target

    I was suggested this blog by my cousin. I’m not sure whether this post is written by him as nobody else know such detailed about my trouble. You’re amazing!
    Thanks!

  36. Irvin

    I’ve learn some excellent stuff here. Certainly worth bookmarking for revisiting. I wonder how much effort you place to create one of these wonderful informative web site.

  37. hotels in gensan

    Hi there to every body, it’s my first pay a quick visit of this webpage; this webpage includes amazing and really excellent data in favor of visitors.

  38. Dave

    Link exchange is nothing else however it is simply placing the other person’s blog link on your page at suitable place and other person will also do same in favor of you.

  39. metronome online tap

    Hey! Do you know if they make any plugins to assist with Search
    Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results.

    If you know of any please share. Kudos!

  40. SCAMMING THIEVES

    Hi, I do think this is a great website. I stumbledupon it ;) I’m going to revisit once again since i have saved as a favorite it. Money and freedom is the greatest way to change, may you be rich and continue to help others.

  41. ホテル

    Hello there, You’ve done an incredible job. I’ll definitely digg it and personally suggest
    to my friends. I am sure they’ll be benefited from this website.

  42. Elma

    Does your website have a contact page? I’m having trouble locating it but, I’d like
    to shoot you an e-mail. I’ve got some suggestions for your blog you might be interested in hearing. Either way, great blog and I look forward to seeing it improve over time.

Comments are closed.