No, I Cannot Hack Your Facebook — But Here's What Actually Gets Accounts Stolen
It happened again today.
A co-worker pulled me aside with that familiar tone — the one that means the question coming is either about a printer that stopped working or something significantly more complicated. She leaned in slightly and asked: "Kuya, do you know how to hack a Facebook account?"
I said no. Immediately and without hesitation.
Not because I was being difficult. Not because I was protecting some secret IT knowledge that only professionals are allowed to have. I said no for two reasons that I will state plainly right here: first, I genuinely do not know how — hacking is a completely separate discipline from what I do, and anyone who tells you that all IT people can hack things is confusing two very different skill sets. Second, and more importantly — it is unethical. Full stop. No gray area.
Just because someone works in IT does not mean they operate outside the rules that apply to everyone else. Ethics are not optional in this field. They are the field.
But here is the thing. After I said no and the conversation moved on, I kept thinking about why people ask that question in the first place. Usually it is because something happened — an account was compromised, a friend got locked out, someone received messages they did not send. And the assumption is always the same: someone hacked me.
Most of the time that assumption is wrong. And understanding why it is wrong is actually the most useful thing I can share.
Facebook Is Not as Easy to Break Into as People Think
That layer of protection means that simply knowing someone's password is no longer enough to access their account from a new device. The attacker would also need physical access to your phone or your email — which raises the difficulty level significantly.
So when someone tells me their Facebook account was hacked, my first question is not who broke into Facebook's servers. My first question is: what did you do recently that you were not supposed to?
Because in almost every case I have seen — friends, colleagues, family members — the account was not broken into from the outside. The door was opened from the inside, usually without the person realizing they were doing it.
The Real Reasons Accounts Get Compromised
Phishing — the oldest trick that still works
Phishing is when someone sends you a link that looks exactly like a legitimate website but is actually a fake designed to steal your login credentials. You click the link, you see what looks like the Facebook login page, you type your email and password, and you have just handed them directly to whoever built that fake page.
These links arrive in many forms. A message from a friend saying "is this you in this video?" with a link attached. An email warning you that your account will be disabled unless you verify immediately. A comment on a post telling you that you won a prize and need to claim it through a link. A notification that looks like it came from Facebook itself but the sender address is slightly off — faceb00k.com instead of facebook.com, one letter different.
The fake pages are convincing. They look identical to the real thing. The only defense is the habit of checking the URL before you type anything. If the address in your browser bar is not exactly facebook.com — not a variation, not a subdomain you do not recognize, exactly facebook.com — do not enter your credentials.
Third-party app access
Have you ever clicked "Login with Facebook" on a quiz website? A game? A giveaway page that promised to tell you which celebrity you look like? Every time you do that, you are granting that application some level of access to your Facebook account. Some of those applications are legitimate. Many are not. Some are specifically designed to harvest your account data or post on your behalf once you grant them permission.
Go to your Facebook settings right now and check which apps and websites have access to your account. You will likely find applications you do not recognize and have not used in years. Remove anything you do not actively use and trust. This takes five minutes and closes a vulnerability most people do not know exists.
Password reuse across multiple platforms
If you use the same password for Facebook that you use for an old forum account, a shopping website, or any other platform that has ever experienced a data breach — and thousands of platforms have — then your Facebook password may already be in a database of leaked credentials somewhere on the internet. Attackers run automated tools that take leaked username and password combinations and try them against major platforms like Facebook, Instagram, Gmail, and others. This is called credential stuffing and it is responsible for a significant number of account compromises that people attribute to hacking.
The fix is simple in principle and annoying in practice: use a different password for every account. A password manager makes this manageable. You only need to remember one master password and the manager handles everything else.
Saved passwords on shared or public devices
Logging into Facebook on a computer at an internet cafe, a friend's laptop, or any device that is not yours — and saving the password when the browser asks — is handing your credentials to whoever uses that device next. Same applies to staying logged in on a device you later sell, give away, or lose without logging out first.
Always log out completely when using someone else's device. Never save passwords on public computers. And if you have ever sold or given away a phone or laptop without factory resetting it first — change your passwords now, on everything.
The Basics That Actually Protect You
None of these require technical knowledge. They require only the habit of doing them.
Turn on two-factor authentication if you have not already. Go to Facebook Settings, then Security and Login, then Two-Factor Authentication. Enable it. Use an authenticator app rather than SMS if possible — SMS codes can be intercepted through SIM swapping attacks, while authenticator apps generate codes locally on your device. This single step makes your account dramatically harder to access without your phone physically present.
Use a strong and unique password. A strong password is long — at least twelve characters — and contains a mix of letters, numbers, and symbols. More importantly, it should be unique to Facebook and not used anywhere else. If remembering multiple passwords sounds impossible, a password manager like Bitwarden — which is free — handles this automatically.
Check your active sessions regularly. Facebook shows you every device currently logged into your account and from where. Go to Settings, then Security and Login, then Where You're Logged In. If you see a device or location you do not recognize, end that session immediately and change your password.
Be suspicious of everything that asks for your login. Legitimate Facebook notifications do not arrive through Messenger from friends. Legitimate prize notifications do not come with links to external websites. If something feels slightly off about a message or a link, it is almost certainly off. Do not click first and investigate later. Investigate first.
Review your connected apps and remove what you do not need. Settings, then Apps and Websites. Remove anything you do not recognize or no longer use. Do this once every few months as a routine check.
A Note on Ethics — Since We Started There
I want to come back to where this started because I think it matters.
The co-worker who asked me that question this morning probably had a reasonable reason behind it — a compromised account, a locked out friend, a situation that felt genuinely urgent. I understand that. The frustration of losing access to an account you have had for years is real.
But the solution to that problem is never someone else accessing that account without authorization. Even with good intentions, unauthorized access to another person's account is illegal under Philippine cybercrime laws — Republic Act 10175, the Cybercrime Prevention Act of 2012, covers unauthorized computer access explicitly. Good intentions do not change the legal definition.
The correct path is always through Facebook's official account recovery process, through the person's registered email or phone number, through identity verification with Facebook directly. It is slower and more frustrating than a shortcut. It is also the only legitimate option.
I am studying for my Google Cybersecurity certificate right now. One of the first things the program establishes — before tools, before techniques, before anything technical — is professional ethics. The reason is simple: the knowledge is only as trustworthy as the person who holds it. An IT professional without ethics is just a threat with better access.
So no. I cannot hack your Facebook account. I would not even if I could.
But I just gave you everything you need to make sure nobody else can either.
-Mavs
System Disclaimer: The information in this post is for educational and informational purposes only. Always follow official platform guidelines and consult a cybersecurity professional for specific concerns. Philippine users should be aware that unauthorized account access is covered under Republic Act 10175 — the Cybercrime Prevention Act of 2012.
Sources: Facebook Help Center — Keeping Your Account Secure: https://www.facebook.com/help/213481848684090 Google Safety Center — Phishing: https://safety.google/security/phishing Official Gazette — Republic Act 10175 Cybercrime Prevention Act: https://www.officialgazette.gov.ph/2012/09/12/republic-act-no-10175/
.png)
0 Comments