Hacking Social Media Accounts and How to Protect Yourself

Hacking Social Media Accounts and How to Protect Yourself

Do you ever wonder how hackers manage to break into your account or a social network?
Antonio Gabor

Antonio Gabor

Certified Ethical Hacker and Network Security Engineer

You have probably heard many times over how someone's Facebook or other social media account got hacked, or maybe you have been a victim of a hacking attack yourself. Do you ever wonder how hackers manage to break into your account or a social network? In today's day and age, there is an abundance of various tools and databases from which compromised accounts can be found. When we consider human nature, which is often predictable, it becomes easy to guess the password that was used. OSINT stands for Open-Source Intelligence, which means using publicly available data for investigative purposes and is considered as passive reconnaissance of the target you are planning to attack.

Since authentication on social media usually relies on an email address and password, the first step is to find the target's email address, which can be done using Google Dorks or some OSINT tools. OsintFramework is an excellent site that can help us in the same.

Okay, we have the email address! What's next?

Large companies are required to disclose any breaches and leaks of personal data. Often, hackers will publish stolen databases somewhere on the Dark Web in an attempt to profit from them.

It is very likely that you already heard about webpage haveibeenpwned.com, and if you haven't, please do yourself a favour and check if your email address is included in any of the major breaches, as there are quite a few of them out there.

In May 2016, LinkedIn experienced a security breach where attackers stole 164 million email addresses and passwords. Half of these passwords were stored using the SHA1 cryptographic algorithm without adding SALT to the hashes, making them highly vulnerable to cracking.

Some well-known software and tools for calculating these hashes are John the Ripper and Hashcat. With a decent graphics card, offline password cracking can be performed, and it requires finding a suitable dictionary that contains a large number of real passwords, such as RockYou, which has over 8 billion unique passwords.

Of course, there is an alternative, and sometimes if we're lucky, we can use online tools like crackstationor the excellent Dehashed website.

Using the Dehashed website is not free, but it is far cheaper than buying a whole rig with graphics cards, without a doubt!

Since a hashed password consists of exactly 40 hexadecimal characters or 160 bits, it's easy to conclude that it is most likely SHA1. With a bit of luck, they might not be using additional security measures for passwords that were introduced after 2012, as mentioned by Taylor in his article.

By using the md5decrypt hash generator md5decrypt and comparing it with the clear-text password from the BreachCompilation database, I managed to obtain the final password for the LinkedIn account that had the same hash value as the previous one. Et voilà, we have cracked it!

Sha1(m###########i) = 0###################################0f0

Wondering How to Protect Yourself? No worries, I got you!

  1. Use strong passwords with a combination of special characters, lowercase and uppercase letters, and numbers.
  2. Enable multi-factor authentication whenever possible on social media platforms.
  3. Avoid using words that can be found in dictionaries.
  4. Do not recycle passwords. Create unique passwords for different social media accounts.
  5. Consider periodically changing your passwords.
  6. It is recommended to use a password manager, but make sure the password manager itself is secure.
  7. Length matters. Aim for a minimum of 13 characters in your passwords.
  8. Do not share your passwords with anyone.
  9. Check if your data has been compromised in any of the aforementioned breaches.
  10. Avoid using personal information in your passwords, as it is easily accessible to others.

Now that you know how hackers can steal your account and how to protect yourself from it, please share this information with your friends, family, and especially elders who are often the primary targets of various phishing campaigns and scams. Lastly, I sincerely hope that this will help you better protect yourself in the age of cybercrime and make it just a bit more difficult for hackers, so that they give hacking you altogether!

Stay vigilant and stay safe!