Your Facebook can be accessed without a password!
Facebook employees have a tool to get into your account without your password
If you ever had to interact with a Facebook employee on the social networking platforms helpdesk, you would know that they could access your account with ease. So was the case with Paavo Siljamäki, director at the record label Anjunabeats, when he interacted with a Facebook employee recently. Paavo put up a post on his Facebook timeline that when he spoke to a Facebook employee, in their office at LA, about how he could use Facebook better, he was asked if they could access his account. When he replied in agreement, the employee simply accessed his account without even asking him any password. Shockingly, he did not even get a notification about his account being accessed. The Facebook employee could access all his private data (including posts, photos and almost everything), making him wonder that Facebook employees have a master password to peep into anyone’s Facebook account. “What are the rules on who and when they can access our private content and how would we know if someone did?,” stated Paavo’s post.
As shocking as it would be to you, it is no surprise to people who know the rules behind it. Yes, the same rules are applied to most online helpdesk employees who can gain access your personal online details without your credentials. Be it banking, telecom, social networking or anything else, a helpdesk employee does have a master password to get into your online account, albeit not without your consent.
But what if an employee does not have your consent? He can still gain access, but at the risk of losing his job and even being prosecuted. Every company has a stringent rule to the employees who head the helpdesk dealing with sensitive content. There are only a bunch of employees who are given access to the master password, and everything is recorded, and safely stored, for future reference, in case of mishaps.
In the case of Paavo’s incident, Facebook too has stringent rules and only a handful of employees on the helpdesk are given access to the tool that allows them to gain access to a Facebook account without a password. But they are only allowed to use it on the user’s consent, or risk losing their job.
Venture Beat reported that a Facebook spokesperson gave them a statement on the stringent rules for every employee on the helpdesk.
“We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner’s Office as part of their audit of our practices.
Access is tiered and limited by job function, and designated employees may only access the amount of information that’s necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.
We have a zero tolerance approach to abuse, and improper behavior results in termination.”
Though Facebook grants this heavily guarded tool to only a select group of helpdesk employees, there are high chances of it being abused. The worse—you may not even know if your account has been accessed as there are no notifications passed on to you. And there is no way to find out if someone ‘did’ peep into your account, for good, inquisitiveness or harm. We don’t state that Facebook, or other online services would mishandle your privacy, but you would never know if their employee(s) did.
Taking into consideration the internet rules that apply to all online websites and services, it is better not to store any sensitive data online. So if you are bothered about something private up there, we advise you not to put it up there in the first place.
How to keep your accounts safe online:
- Make sure you change your passwords regularly.
- Make sure your passwords are not easily guessable.
- Create a password that is easy for you to remember, but hard for others to crack.
- Use long passwords.
- Never write and store your password anywhere for safekeeping. Memorise it.
- Use a strong password, which includes alphabets (caps and small), numerical and special characters, if allowed.
- Ensure that you have two-step verification for accessing sensitive accounts (if available).
- Make sure that you have all notifications active when your accounts are being used. Apply for SMS and email notifications, if available.
- Never share your account details and passwords to anyone. If you had to, ensure that you change it immediately.
- Never give out details and passwords to anyone who claims they are from the helpdesk. They don’t need it. If they are genuinely from the service, they have all details without asking it from you.
- Never use a computer other than your own, to access sensitive accounts. If you did, go incognito.
- Don’t allow the option for remembering the passwords on the browser.
- Install an internet security suite and a good antivirus to prevent hackers from gaining access to your PC.
- Don’t type your passwords in the presence of someone else.
- Use the virtual keyboard (if available) for entering passwords.
- Make use of biometrics if available. Fingerprint, retina scans are highly secure.
- Avoid using cybercafé computers for your banking, social networking, etc.
- If available, use OTP (one time password) options with SMS/email.