23-year-old Aaron Thompson noticed something strange this week when he tried to log in to his Facebook account: the email address and phone number associated with his account had been changed. Then he checked his email to discover an email chain between Facebook customer service and a hacker claiming to be him — a hacker who had gained control of Thompson’s account with a simple scanned picture of a fake passport.

Thompson was afraid the hacker compromised his account to monetize his business pages, but the cyber-crook only messaged a few of his friends and sent a lewd image to his girlfriend. Thankfully, Thompson regained control of his account the day after the hack, and Facebook admitted that it made a mistake granting the hacker access.

“Accepting this ID was a mistake that violated our own internal policies and this case is not the norm,” a Facebook spokesperson said.

However, Facebook isn’t alone in asking for a scanned copy of important documents to prove your identity; both Airbnb and PayPal also ask for your passport. So the real question is: why do tech companies still rely on such an outdated way of proving who you are?

“It is 2016 and we’re still scanning/photographing largely static identification docs, which could be designed to work much better with the very digital world we work in,” independent security researcher Jessy Irwin told Motherboard. “Forgery isn’t new and has been a issue for literally thousands of years.”

Even with all of Facebook’s advancements in privacy and security, it’s scary just how vulnerable users still are to simple hacks like this.