[dddbbb]

I find it strange that the Facebook employee wouldn't just forcibly change OP's username to something else (e.g. @danny123) then give the desired name to their friend. Actually stealing someone's account seems like an over the top and unlikely way to go about this.

[Nextgrid]

I'd assume there would be bots or just someone trying to sign up with that username by random chance, so they didn't want to leave the username available for a moment.

I'd assume there is a proper, transactional (as in database transactions) way to swap usernames like that but the person who did this most likely didn't have access to it (for good reason) and just did an email change + password reset on the original account.

[tluyben2]

> and just did an email change + password reset on the original account.

But isn't that why the user had 2FA on? Why can someone change the email + switch off 2FA; you would want only 1 of these would you not? If you tell support you lost your email and 2FA, that would be very unlikely, so why would it be so easy to set that up?

Are there immutable logs with credentials for this kind of action and how easy is it for employees to access / change it; I mean why would many people have the permission to take this action? Especially without some kind of flag that there is something up with the account (like unused, flagged content etc).

[Nextgrid]

I'd assume CS has the possibility to disable 2FA or change the phone number it's associated to.