People who are careful about their Facebook security and friend requests may not need to hear this, but for everyone else — or if you've ever received a friend request and thought "I might have known this person in high school" — consider this new vulnerability that lets hackers bypass the Facebook security question with fake friends.
We're still testing this security question vulnerability (testing means the account will be locked for 24 hours after the password change), but a reader sent in this tip about how easy it is for a hacker to bypass the security question on Facebook.
Apparently, if you tell Facebook that you no longer have access to your email account(s) or mobile phone, you'll get the common security question prompt. If you answer the security question wrong (or a hacker does), you can verify your account by sending codes to three friends. Trouble is, a hacker could plant fake friends into your account — if you automatically accept them — and then go through this process to reset your Facebook password.
To protect yourself from this vulnerability, hacker9 recommends registering your mobile phone on Facebook and enabling all the account security settings (including the recently mentioned "Login Approvals" feature). And, of course, be wary when accepting strange friend requests.