Facebook account hacked

So this evening my Facebook account was hacked and spam messages were posted to a few dozen friends on my behalf. Thankfully, since I’m friends with a number of security-savvy folks, I was notified almost instantly. Now I’ve never cared too much about my Facebook account, so I used one of my weak passwords. I’m pretty sure I wasn’t phished, and I’m pretty sure I don’t have malware installed on my machine, so I’m guessing (as suggested by Aaron) that some site where I reused my weak password was hacked…. but which site? Who knows. Maybe it’s really time for me to fully address this web-password situation with a real solution.

So I’ve been working on cleaning things up at Facebook. And I’m a little bit surprised that Facebook doesn’t make it easier for you.

  1. I changed my password, but I’m wondering, does this invalidate all currently open sessions? I hope so, but it would be nice to know.
  2. I removed a few apps that I haven’t used in a while, though I’m pretty sure that apps can’t do wall posts.. but still it would be nice to know for sure, and it would be nice to have one page from which I can remove a bunch of apps, which doesn’t quite seem possible except if you’re only interested in removing recently used apps.
  3. I never write on people’s walls, and yet Facebook allowed my account to write on dozens of walls in a matter of seconds without throttling. Seriously? How about a CAPTCHA or an email confirmation or heck the ability for me to say “lock my account if I post more than 3 wall messages in a minute”. I understand that not all users want to be throttled, but I care about not spamming my friends, so I would opt for the “more secure” version of Facebook that inherently limits my abilities so that my friends are mostly spared if I get hacked.
  4. I’d like to see all of my wall postings so I can delete them easily from one page, but I can’t seem to find a page that lists those, I have to go through my “recent activity,” and when I click the “X”, I’m not sure if I’m removing the post from my friends’ walls, or just removing the entry from activity log, so to be safe I clicked through to each friend’s wall and removed the post there. “Tedious” comes to mind.
  5. I’d like to see everything that happened in that bad session, and maybe even what IP address / web browser was used, so I can trace and see if they tried to log in before, etc…

If there are any Facebook security engineers listening, it would be great to be empowered to clean up our accounts more easily. Right now, I feel quite powerless, I don’t have the tools to clean things up, and I don’t even know if I’ve finished cleaning things up completely.

UPDATE: oh great, now Facebook suspends my account, though I’ve already changed my password to a stronger one, I need to change it again. And now I’m wondering, when was the suspicious activity detected? After I cleaned up? If so, is it still happening? More info Facebook, please, more info.