For one thing, many people use the same password for multiple websites.

Does anyone actually hack them, or are they really hijacked? A lot of people seem to think that someone actually targeted them and broke into their e-mail accounts, for example, when they might have just used software routines to get hold of access information and exploit it without ever actually looking at it or handling it themselves. A FB or other profile is a way back to your computer, and thus much more valuable than looking at your photos and friends online.

At least, this is my understanding. If I’m wrong, someone please set me straight.

Again as I understand it, these invading programs can actually take control of portions of your computer and use them as bots to send out spam and relay other kinds of data, such as financial information illicitly gained. It can be used as a node in a network that becomes hard or impossible to trace. They don’t actually care anything about your personal e-mail or what you write to your friends.

They try and send scam requests to friends and family saying your in desperate need of funds and could they please help out,type thing.

I did a bit of rooting on the Google, apparently a lot of these hackers are stalkers who are obsessed and want to going peoples private information.

They can ask your friends for money claiming to be you, and in trouble.

It’s not just the password, as @longgone notes – though that can be a lot in itself. It’s also access to the victim’s social network, a collection of people who may think that they are conversing with the principal when conversations are started or responded to. “Social engineering” is usually the weakest link in any security apparatus.

If I wanted to gain access to my employer’s building after being fired, for example, all I would have to do is stand outside the door looking like I left my security card at home – because that happens every day here to someone, somewhere – and the person entering the building with authorization would more than likely smile and let me in, and commiserate that it happened to him a few weeks ago, too.

Facebook can figuratively offer the same kinds of direct access to programs, networks and websites. (When you sign into new web accounts of various kinds, for example, take a look at the various “log in with Facebook” options. Now consider that someone who wants to create multiple accounts of various types can “log in with Facebook” on those sites – and the havoc that can then be generated.)

In addition to access to the person’s network of friends and family, many people have pets and family members featured – and those are common security questions to any “forgot my password” question on other sites and accounts.

I saw a (supposedly) real-life demonstration of just how simple this kind of hacking is, when a security expert accepted a reporter’s challenge to “show me how it’s done”. The person found a way into some social network site, pretended to be the reporter and asked one of the reporter’s contacts something personal, then used the information that she had obtained to log into the reporter’s credit card account using a “forgot my password” question to reset that password and log in. (She may have done those in reverse order, I think. That seems more likely. More like “got the security question”, then sent a message to his sister about “what was our first dog’s name, anyway? I’m just drawing a blank here.”) Then, since she was in the credit card account, she changed the mailing address and email addresses, responded positively to the follow-up notification from the credit card company that “your information has been changed – did you authorize the change?” That way, she had credit card statements sent to a new address, notifications sent to a new email address – and the reporter looking on aghast that this had all occurred within a few minutes.

“If this had been an actual hack” the reporter would not receive his credit card statements, special notifications or warnings of credit problems via email or snail mail, and the thief could take some time to max out the credit card and walk away with the loot. Multiple times.

Both @longgone and @CWOTUS show the biggest dangers; basically anything you do involving security can be compromised. You do online banking? Better use a different password for that then Facebook if you don’t want your account cleaned out. And the “social engineering” angle truly is far and away the biggest security breach possible. Is the person claiming to be you actually you?

To really understand the danger though, you need to read some Kevin Mitnick, especially The Art of Deception. The little anecdote from @CWOTUS is pretty benign by comparison.

As is hinted at in that anecdote, you don’t even need to have that information on FB if you have enough information to get enough information to get the desired information. If you can’t think at least three steps ahead and a couple to the side, you don’t have a chance of keeping hackers from getting whatever they want; the only thing that can save you is if that hacker is a “White hat”, because if they are a “Black hat” then you’re in for an interesting adventure.

@Jeruba It’s rare that there is that type of malware injected via Facebook. There really is no need for it since your FB profile may have all that information anyways, or at least enough to do some identity theft and financial hanky-panky. Look at it this way; why hotwire a car when the owner left a spare key taped to the door handle?

@jerv, maybe not via FB, but by e-mail, right? That’s how those messages go out to someone’s whole address list begging for $1400 to get them out of hot water because they’re stranded in Istanbul or something. People seem to think they’ve been personally targeted and “hacked,” when I think it’s just the case that some large quantity of e-mail accounts and passwords have been harvested and hijacked. Is this not so?

@Jeruba Facebook profiles have at least one email address attached to them. There is an old proverb, “A journey of a thousand miles begins with but a single step”, only the journey in this case (from hacking a Facebook to nefarious things like clearing out a checking account) is about a city block or two.

As for targeted attacks versus spam, it depends. Many are just spammers picking the low-lying fruit, but not all. It’s a mix.

For example, the “real name only” policy caused outcry as there are people like battered woman who are hiding from their abuser who use Facebook but need a layer of anonymity to hide their location. (Before anyone says “Just don’t use Facebook!”, ask yourself if you’d be willing to ditch your phone service, forgo ever using the postal system and generally cut yourself off from society. If not then you know why that isn’t an option, especially for those who need help. This is 2016, not 1976!) Now, that would be a targeted attack, and one with potentially deadly consequences. There are other cases where an attack may be targeted as well. Anonymous rarely spams.

The thing is, technology has outpaced society’s knowledge of information theory. You know how some people worry about letting their kids use the internet without parental supervision? If the parent doesn’t know any better than the kid then it’s just ignorant fear-mongering, yet many adults who are otherwise intelligent really don’t know much more than my cat about that sort of thing. Look at how many people lost their jobs from posting a pic of them at a ball game on a day they called in sick and you’ll realize that just being over-18 doesn’t mean that you know how to control what secrets you reveal.

Even worse, most people think directly and rarely more than one step ahead, if that. I think you’ve seen me around enough to know I tend to think a bit more laterally and make connections other people can’t see even when pointed out to them. That’s a pretty common trait among those with strong computer skills; you need that sort of non-standard thinking to communicate with the inhuman mind of a computer well enough to bend it to your will. Who else has strong computer skills and bends machines to their will? Hackers. Fortunately, most hackers are “white hats”, but there are enough black hats out there that it’s best to play it safe.

As for the spammers, they are usually “script kiddies” with little/no real computer skills. Just as it’s possible to drive a car without knowing the difference between a crankshaft and a camshaft, you can find a spambot and send it on it’s way without any real computer skill. Wardialing is still a thing too, as is it’s wifi counterpart war driving. The latter is a reason why I configured my router to only accept connections from certain MAC addresses, but even that little safety measure is beyond the skillset of most people.

At the end of the day, the real danger is from people who have creative minds and the skills to make their ideas work. But the danger is not a new one, merely one that has added a new dimension since the internet went mainstream enough to make for a target-rich environment. That latter point is where a lot of technophobes go wrong; they think they are safe if they only deal with people face-to-face and pay cash for everything when the truth is that they leave a paper trail that can be followed and exploited just as easily as a data-trail. The only difference is that computers make it a bit faster and easier than old-school dumpster-diving or searching through paper records or just plain social engineering.