Update (June 13, 2023): The vulnerability highlighted in the original article below has been resolved and it is no longer possible to break into an account using just a phone number, as far as we know.
Vulnerabilities in the social media platform do exist, but Facebook now operates a bug bounty program that invites third-party researchers to responsibly disclose issues before they are exploited by attackers.
The typical way that threat actors access Facebook now — or other social media accounts, including Instagram and Twitter — is through spam and phishing.
Also: The best VPN services (and why more people should be using them)
The Meta-owned company has to tackle phishing, the propagation of malicious links, and dangerous apps on a daily basis, although you may have also experienced the problem of account cloning and impersonation, used by cybercriminals to obtain access to friends in order to scam them.
If your account has been compromised or you suspect a friend is being impersonated, you can report the problem to Facebook through this portal.
Original coverage (June 16, 2016): It is possible to compromise Facebook accounts using little more than a phone number, researchers have warned.
A security team from Positive Technologies claims that if you know the phone number of your intended victim, you can break into their linked Facebook account thanks to security flaws in the SS7 protocol.
As reported by Forbes, there is a segment of core telecommunications infrastructure that has been left vulnerable to exploit for the last half-decade.
Also: The easiest thing you can do to keep your phone secure
SS7 is a protocol developed in 1975 that is used worldwide to define how networks in a public switched telephone network (PSTN) exchange information over a digital signaling network. However, a network based on SS7 will, by default, trust messages sent over it — no matter where the message originated from.
The security flaw lies within the network and how SS7 handles these requests, rather than a bug on Facebook’s platform. All cyberattackers need to do is to follow the “Forgot account?” procedure through Facebook’s homepage, and when asked for a phone number or email address, offer the legitimate phone number.
Once Facebook has sent along an SMS message containing the one-time code used to access the account, the SS7 security flaw can then be exploited to divert this code to the attacker’s own mobile device, granting them access to the victim’s account.
Also: 3 ways to spot a malware-infected app on your smartphone
The victim must have linked their phone number to the target account, but as the security flaw is found within the telecommunications network and not online domains, this attack will also work against any web service which uses the same account recovery procedure — such as Gmail and Twitter.
Two-step verification is becoming more and more crucial, but until vulnerabilities in telecom services are fixed, using email recovery methods may be the best way to go — as well as the use of very strong, complex passwords for any main ‘hub’ email accounts you use to maintain other online services.