Someone accessing my Facebook account bypassing 2FA and notifications of foreign login attempt

[StoneFire]

Hello people,

I come to you as I'm in search of how the frigg someone manages to access my facebook account and managing to bypass my 2FA and my email notifications about logins from foreign devices.
I was a the victim of some malware and I'm well aware why my pc got compromised, but with my knowledge I can't fathom how they're able to do this with all these security measures in effect?
One thing could be if they simply have access through my own pc, but by digging around on facebook I was able to find foreign IPv6 addresses accessing my account and I don't have a such an address myself but instead an IPv4 one.
What keeps baffling me is even with the passwords changed on all of my accounts tied to my lastpass, and lastpass itself, and with the compromised pc been turned off for days they have still been able to log in.
They also managed to made a google ads account in from my google account which has the same security measures enabled and I was only notified of this when I got an email confirming the creation of my account.
PS, they never managed to change my passwords anywhere but I'm sure they were trying as they managed to add a foreign phone number to my facebook while I was already on top of the situation, so they were probably trying to exploit the weak ass security of using text based options.

Hopefully someone is able to share their insight so I can get a better understanding of HOW they're doing this.

[An0maly_76]

I think I'd delete the account first, then worry about how.

[Senzelian]

11 minutes ago, StoneFire said:

What keeps baffling me is even with the passwords changed on all of my accounts tied to my lastpass, and lastpass itself,

Wasn't lastpass recently compromised again? I wouldn't trust these fools to protect your passwords.

[StoneFire]

6 minutes ago, Senzelian said:

Wasn't lastpass recently compromised again? I wouldn't trust these fools to protect your passwords.

I'm aware they had someone steal some source code, but even IF said insight in the code was used to access my lastpass they STILL need my authentication via my 2FA that I don't have via their platform. So your statement falls outside the scope of my question.

[Senzelian]

2 minutes ago, StoneFire said:

So your statement falls outside the scope of my question.

Yeah I know it does. 

Is your 2FA reliant on a phone number, soft token, hard token, authenticator app? 

[StoneFire]

3 minutes ago, Senzelian said:

Yeah I know it does. 

Is your 2FA reliant on a phone number, soft token, hard token, authenticator app? 

Authenticator app and I try to never use any security measure relying on my phone number.

[Senzelian]

11 minutes ago, StoneFire said:

Authenticator app and I try to never use any security measure relying on my phone number.

I'm no security researcher, but I can tell you that even 2FA can be bypassed. Usually I'd say contact the support of the 2FA service that has failed, but you mentioned a Facebook and Google account, so I think there's a good chance that there is an issue with either your authenticator or your network.

 

 

[Spotty]

You were likely infected with malware that stole your browser's cookies that contain your session tokens for those websites. This would allow them to bypass logging in altogether as those cookies are what the websites use to authenticate you after you logged in. 

Changing your password should invalidate the old session tokens. If they still have access to your account they've either added an alternative login method (maybe to do with the phone number they added?) or the malware is still on your system and they were able to get the new tokens when you logged in to your account after changing your password.

 

59 minutes ago, StoneFire said:

PS, they never managed to change my passwords anywhere but I'm sure they were trying as they managed to add a foreign phone number to my facebook while I was already on top of the situation, so they were probably trying to exploit the weak ass security of using text based options.

Most websites require you to type your old password when setting a new password. If they did indeed steal your session cookies then they wouldn't have your password and would be unable to change it.