How a hacker stole a Facebook user’s account with just a fake passport

Human error is alive and well in Facebook’s support department.

David bisson
David Bisson

How a hacker stole a Facebook user's account with just a fake passport

A hacker successfully commandeered a Facebook user’s profile by conducting a social engineering attack that involved a fake passport.

The hack occurred on June 26 when an unidentified attacker contacted the Facebook support team posing as Aaron Thompson, a legitimate Facebook user and resident of Michigan in the United States.

The hacker’s original message reads:

Sign up to our free newsletter.
Security news, advice, and tips.

“Hi. I don’t have anymore access on my mobile phone number. Kindly turn off code generator and login approval from my account. Thanks.”

In its response, Facebook provided the hacker with a few recommendations for how they could regain access. They also said the Thompson poser could provide Facebook with two things if it still wasn’t possible to access the profile: a scan of a photo ID and a description of the issue being experienced.

The attacker replied with this fake passport.


Facebook could have easily determined that none of the details provided in the passport match the real Aaron Thompson’s profile.

Still, it was enough for the site’s support staff, who disabled Thompson’s login approval settings and granted the hacker access to the account.

Facebook sent a message to the email address attached to Thompson’s profile explaining the change in his account settings:


It was then that Thompson first learned of the hack.

But, by then, the attacker had already gained access to Thompson’s account, including his access to several business pages he managed on Facebook.

Motherboard reports Thompson is convinced the hacker targeted him in an attempt to monetize his pages.

But the attacker did no such thing. Instead he sent out only a few messages to the hacked user’s friends. Most notably, he sent an image of his genitals to the victim’s girlfriend.

Thompson contacted Facebook support but initially experienced some difficulty in resolving the issue. Frustrated, he decided to share his story on Reddit, where he said he was “pretty devastated” about the “blatant harassment” the hacker had perpetrated against him and his social circle.

Shortly thereafter, Facebook’s support team stepped it into high gear and helped Thompson regain access to his account and business pages.

A Facebook spokesperson said the incident should never have happened:

“Accepting this ID was a mistake that violated our own internal policies and this case is not the norm.”

Clearly, no matter how many security features we might enable on our accounts, including two-step verification (2SV), human error can still threaten our account security.

That’s why companies like Facebook should continuously review and update their security policies, not to mention regularly train their employees to not fall for a social engineering attack like the one that locked Thompson out of his account.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.