> 2. Phishing and other social engineering (I think few people are doing now)
I suspect that people are much dumber. For example, I heard about such a feint with my ears: we find out the mail (if mail is attached to the site), we go to the page of the mail service (90% mailru or another large one), we ask you to recover the password, and there is a secret question like "mother's maiden name" or "pet's nickname ", the answer to which can either be searched in a dictionary or found in the victim's profile. If the answer is guessed / recognized, then the box is stolen first, then the page.
As for the two-factor by phone, then the connections in the opsos can "help" here. There were examples in the news when people "suddenly" turned off SMS for a couple of hours (then you can see it in detail), and at that time the page was hijacked through password recovery. Stories with the appearance of a clone of a SIM card somewhere in Vladivostok (for time zones, it is better for the victim to sleep and not immediately realize) are also googled enough.

1. Brute force (now I think it's not relevant)

Admins are not stupid either, and two-factor makes this much more difficult

2. Phishing and other social engineering (I think few people are doing it now)

Doh... who's underway. As soon as we have a girl from the reception on vacation and someone is put in her place, we have to instruct on the topic "under no circumstances follow links and open attachments", because zillions of all sorts of dirty tricks fall on [email protected] Hacking can be targeted - it's one thing when you get a letter from Mr. Zaremba Zaramba from Nigeria, and another when you get a letter from Vasya's childhood friend.
Again, quite rightly noted about mail - if a person has mail on a large aggregator, first we try to steal mail, choosing answers to a security question (I would like to look at the one who picks up the answer to mine :D ).

3. A large network of rats / stealers / botnets and search for the desired page in the database

Open info from the page is interesting only if it is generally closed from the search - in order to get at least something

4. Own people in the employees of the social network.

You can suddenly get quickly and painfully even when hacking the most ordinary page. Why - and here's why . Although, of course, this possibility cannot be ruled out.
And of course, it is not at all excluded that this topic is a honeypot :) The same as an application for installing Windows to the master "by announcements"

Yes, corny someone from VK support can do this.
Therefore, large pages are not hacked, so as not to sleep at work.

But still, I don’t quite understand how all this is not controlled and covered up. W

Well, complain a couple of times about hacks, they will conduct an investigation, maybe someone will be fired. Or maybe they themselves have a share of this, and they will have to complain louder.

Of course, phishing or social engineering is rubbed into trust by communication and then they trick out the password, codes, cookies, ask Skype to install and let the screen be controlled, blackmail with deceived data, etc.
There is another option to slip the application and get access to the data quite legally, if of course they are the owners of this application, read the article on the topic: https://m.habr.com/en/post/357474/
We have 15% of corporate employees whom we torture with educational passwords are leaked with the simplest phishing or an investment is launched, so that ordinary mothers will even more be led, they are being called from the bank security service, read the reports of FinCert of the Bank of Russia (there is about access to remote banking services, not to any social networks), and here they are being on something. And since they work to order, then thishttps://ru.m.wikipedia.org/wiki/APT , which means not phishing, but spear phishing on a topic that is applicable to the victim based on posts on the social network and other information on the contacts provided, well, not a social network, but a target social network