The accounts aren’t usually hacked, they are just being imitated. It’s a social engineering scam that doesn’t even involve the target.

Someone got drunk and made a post they regret.

Seriously though, they’re using the same password and email combo they use everywhere else, it was compromised in a breach of another site or they got phished, a bot logged into their Facebook account and started sending spam to all their friends.

That’s it, it is considered “hacking” I guess, but it’s not like they were special enough to be targeted and someone sat there for weeks trying to break into their account. They’re not that special.

No one is ‘hacking’ them.

Most Facebook hacks are either the result of phishing (directing the user to download software that contains viruses or malware or a fake website that looks real in order to get them to ‘log in’ and give them the login credentials) or the result of the user giving something permission to do things, such as post via their account

Many people use the same password over and over for everything. There are multiple ways of guessing, tricking, or computing passwords. If you know enough about a person you can guess. You can target them with a fake login “To stop getting spam login with your username and password!” You can literally brute force a password with a program running millions of iterations of numbers, letters and symbols per second until you get a “hit.”

To take over an account you login with the stolen password, reset the recovery email/phone number to things you control, then do what you do.

How to protect against you, the hacker?

Big passwords. Because people are lazy the most common password is: 123456, what an idiot would put on his luggage. The second most common is: password/Password/PassWord/P4$$W0RD… Yeah. Anyone reading this and saying “Hey, I need to change the code on my luggage?” Better is a phrase, words you can memorize. Your child’s first sentence: Dadagiveme1! The last line in your favorite Sabaton song: N0rmandy$tate0f4narchy0verlord. Do *NOT* use anything with birthdays, maiden names, schools, towns or anything in your profiles on any digital media.

These people, if it was a true account breach and not a stupid post they tried to deny later, had weak sauce passwords.

Listen to Darknet Diaries and you will not rest soundly wondering if your old Mojang Minecraft password that you used on everything when you were 12 is still out there, somewhere, waiting to find you.

This thread is so frustrating. The subject is not wether or not this must be considered “hacking”, but what is happening when people unkowingly post the same ad for cheap sunglasses, sometimes tagging their friend in it ?

My Facebook was recently hacked and turned into a bot.

The email associated with it was easily 15 years old. Likely a database cracked somewhere and they got my password from it, or the ability to change the password via the bunk email.

It means someone else gets access to their account normally through password miss management.

Since this is eli5, here are two common examples:

1. I have the key to my house, but one day I’m out and about and I see something that looks like my front door. I want to go inside because a sign says there’s something cool and free inside.

When I stick my key in, it’s actually a key copying machine and now a bad person has a copy of my house key. They know where I live and they go, unlock the door and do some bad things. Maybe they even post some fake front doors with cool signs outside my house, to trick other people!

2. Same scenario, but I have 10 houses that I own, and should have ten sets of keys to unlock all of them. But I get lazy and decide to use the same key to open all of them. So now, after scenario 1, the same bad person can open all 10 of my houses (they guessed which ones were mine) and do the same thing with fake front doors and cool signs to trick more people.

I’m going to say something that is against the grain of what almost everyone else here is saying. For background, I’ve been in tech for 20+ years and take my online security very seriously.

Recently, my Facebook was indeed hacked. I use a different password for everything as well as two factor authentication. I got an email notification that an email address had been added to my account, and another one saying my password had changed. Despite having a link in those emails to tell them that it was not me that made the change, Facebook has an annoying UX problem where they won’t simply roll this back, they want to email a confirmation code, even though they will only send it to the new email.

After a couple of days of following obscure Facebook support links, I was able to regain control of my account. I locked it down, two factor authentication, maxed out a new password that was well beyond their minimum requirements, etc.

Two days later, the exact same thing happened.

It’s impossible that they knew my password or that they got past two factor authentication. What I learned, is that there is a known cookie exploit, and somehow they were utilizing an authenticated session via this exploit. I went in and removed every logged in instance, and then logged in again with only the application on my phone. So far, this has worked.

What I learned through this process is that they’re just trying to turn these accounts into accounts and batch processing at a time.

Just like others have mentioned, very few accounts get hacked and it’s usually some phishing page that looks like Facebook and people type in their credentials and that’s how they get stolen.

Attackers would login and start posting spam, with the sunglasses I suspect that it’s some fake website where people think they are purchasing raybans but end up with their credit card stolen or some cheap Chinese sunglasses for $20 so the attackers just make profit. The other case where attackers post a link to a supposedly video of somebody that died is most likely another scam website that can have a million of things like some other phishing pages or even malware that looks for vulnerabilities in the browser or operating system and exploits them. Most like it’s just a website that redirects visitors to some affiliate link or ad and attackers make money from those ads.