There is an even more easier way to hack. When I got my new phone number, I found out that number was recycled and the previous owner's facebook account was now linked with mine.
From there it was just a few mins before the account came to my control (I was experimenting and seriously believed it wont work). I reached out to the owner through email and informed them to unlink their phone numbers.
I reached out to Facebook through their bug bounty and explained the case. They simply replied they couldn't do anything and it's the phone number provider's fault to recycle.
Tying accounts to phone numbers is extremely dumb. People change numbers. Numbers get reused. Also, for many companies/regions, if you lose your SIM, you lose the number (e.g.: if you don't have a contract but just a pre-paid SIM).
for some reason? she added an additional email but didn't remove the old one. there are a ton of online services (for example github) that allow you to define multiple email addresses.
if you want to remove... remove.
I never saw an online service which doesn't show you all the registered emails you have.
This is not always true with regards to personal information.
I wanted to delete my phone number from Snapchat, but it wouldn't let me without adding a new phone number. Note that the account was created using email address so the existence of a phone number wasn't necessary. It just seems like some services love to collect personal information but not remove it, especially those that rely on targeted advertising.
Also, if you change an email address, in some services, the old email isn't actually removed from your records. I did a CCPA "download a copy of all your data" request on Epic Games and it basically stored every email address I ever used, even though it wasn't visible in the UI, and even if some are inactive. Instagram and Twitter are the same.
that snapchat thing you wrote about sucks.
however, what you wrote on epic does make sense. maybe they didn't remove for security reasons but you can't use it to login and therefore can't steal some account. think what happens if they had purchases info with that email... they might need it. but at least block login attempts.
My wife is not a techie, and I do not watch over her shoulder to make sure she does everything she should. And I must admit, this was an attack vector I did not foresee myself.
My guess is that they did not know. I am hoping someone will see this, and recognise it. Maybe we could figure out together what is going on. The e-mail address from the DNS listing is found a couple of places on the internet, all in the same setting: Recepient from some e-mail service, nothing else.
This is the thing. The only thing that come to my mind is that the attackers knew previously his wife. Since the email is not a common one like info@... or contact@... it sounds difficult to me to find.
Another possibility is that some bot is buying discarded domains and trying to restart password with different combinations
I was thinking about this too. I do not think it was a targeted attack. I guess my wife's e-mail and password from way back was found among the millions of leaked passwords that are available. It would be easy to find domains that are no longer existing in that list. And likewise easy to find if certain web sites would react positively to the e-mail address of the non-existing domain. And then it would just be a matter of registering the domain to get access, at least to some sites. What boggles me, is that someone actually does this. I can't see why.
From there it was just a few mins before the account came to my control (I was experimenting and seriously believed it wont work). I reached out to the owner through email and informed them to unlink their phone numbers.
I reached out to Facebook through their bug bounty and explained the case. They simply replied they couldn't do anything and it's the phone number provider's fault to recycle.