Irresponsible answers by Yahoo and Facebook to report of account takeover security flaw

i am from Nepal. we don’t have best technology access that developed Nation have.
But the level of internet access in my place is comparable to any country in the world. The basic purpose of internet in my place is social media usage.
almost two or three months ago I was going through the yahoo’s terms and conditions of of signing up an account i found a major problem. using this bug of yahoo any account could be easily hacked if the account uses the yahoo mail service.
i tried it to hack my dad’s facebook account and found that facebook doesn’t check the existence of email account attached to facebook
i reported it to facebook and yahoo both gave me a very irresponsible answers.
i have attached my report on facebook and conversation with facebook.

Your first screenshot did not upload correctly. I guess this one contained the ultimate response you received after FB investigated your report?

TL;DR on the issue:

Someone (a hacker) is able to take control of another person’s Facebook account, in cases where the email address used to create that account (in your case at Yahoo) was removed. The hacker can then recreate the email in their control and simply send a password reset request to Facebook and receive a link by email to reset the password of your account.


Note that this is a known issue. I gather FB’s response was something along the lines of “Managing the email associated to your account and ensuring it remains valid is your own responsibility”.

And in a way it is. There is no way that Yahoo can see which login accounts you have associated with your email account. Similarly - if the hacker was quick to re-register your email address - there is no way for Facebook to know that the email changed ownership.

Unfortunately this kind of hacking happens often. There is even a more insidious form of it: It happens too with domain names that are no longer registered. If a company goes bankrupt or otherwise decides to drop a domain name, then hackers can register it and run a mailserver on that domain name. This way they’ll automatically receive all kinds of password reset requests from former employees, and can easily hunt for more.


Ways to mitigate:

  • Manage your own accounts carefully, especially email accounts
  • Specify additional email and/or phone as secondary channels for (account-related) notifications if possible
  • If you change your email provider then do not drop the old account until you are 100% sure it has no logins associated to it anymore

i didn’t know about this issue. i found it just some months ago.
most of the users dont know about the issue . some know it and use it for wrong deeds.
I think facebook could find a way if it puts users security as a priority.
millions of educated people in my country are in these security risk.
i have personally asked as many users as i can to consider this thing in their facebook security.
this was only way i could help people

One thing I forgot to mention, and also helps to mitigate this, is to enable 2-factor authentication (2FA) in your Facebook account, so a password alone is not sufficient to login.

yes i have been using and suggesting masses to use 2FA through our awareness program.

1 Like