The Most Hated Man on the Internet

This Netflix docuseries depicts the scheme used by Hunter Moore to obtain compromising pictures of individuals that were posted on Moore’s website without the owner’s consent.

It was determined that numerous pictures used by Moore were obtained from hacked email accounts. The method used by the hacker was quite simple but very effective: they would crack the account’s password and bypass multi-factor authentication by sending a Facebook message to the account owner, impersonating a friend who needed help resetting their email account because they were locked out.

The hacker would ask the account owner to give them the code and with that, they would have full access to the account and lock the owner out.

Do you know what was the account owner’s mistake?

ANSWER

The account owner’s (the target) mistake was to forget that the “friend” (hacker) could have never changed the phone number to receive the reset code if they were locked out of their account. The way multi-factor authentication works is by asking the account owner for their password and a code would be sent via text message to their selected phone. So, the hacker (“friend”) was actually resetting the target’s account password by sending the code to the account owner’s (the target) phone. Once the target would disclose the code to the hacker, they would unlock their account giving full access to the hacker.

Remember, unless you have been set to receive codes from the beginning, you cannot help friends and family by receiving and relaying their codes.