> In my case, they didn't change my password as they didn't have it, instead they were simply able to log in and add a secondary 2fa (a hardware key) which effectively locked me out so I couldn't declare something was wrong. Pretty smart.
That doesn't really checks out to me because to make any changes to 2fa in FB, you must provide your password first.
That doesn't really checks out to me because to make any changes to 2fa in FB, you must provide your password first.