It appears in this situation that the hacker found his victim’s profile on Facebook, submitted a lost password request, and then answered the security questions with information that was easily found on Google. After taking over his Facebook account, the hacker repeated the process to gain access to the victim’s Gmail account and started emailing all of his contacts asking for money.
If this sounds vaguely reminiscent of something that was in the news a few years ago, it’s because a very similar technique was used by a college student to access Sarah Palin’s Yahoo account. One password reset request later, and Sarah Palin’s emails were all over the Internet.
The take-home here is simple: make sure that your security questions don’t ask about details that are available with a little digging (mother’s maiden name, city of birth, high school mascot). Go for more obscure ones like your first pet’s name or the name of the best man at your wedding (as long as you didn’t blog about your wedding!). Also, take a good look at the privacy settings on all of your social networking profiles and don’t divulge more information than you have to. That will minimize the amount of damage a hacker can do if they do gain access to your profile.
And remember that the more you share about yourself online, the more ammunition you’re giving potential identity thieves. That doesn’t mean you should shut down all your social networking profiles because someday somebody might hack into your Facebook account. It does mean that you should be careful about what details you share, where you share them, and with whom.