About the time hackers activated two-factor authentication on my Facebook account …

This is not a blog post about travel, history, nature, or tea, although, as always, a lot of tea was consumed in the composition of it. Instead, I hope this serves as a cautionary tale about how to potentially avoid the mistakes that have seen me locked out of Facebook for over a month. While I am all in favour of digital detoxes, this is not exactly what I had in mind!

It started in mid-December with an email from Facebook saying that someone was trying to reset my password. Simple question: is this you or not? I clicked the button for “not” and was told that I didn’t have to do anything else. Whew, that was close …

Except that a few hours later I received a similar message. Again, I clicked that it wasn’t me. But something had changed: I no longer had control of the account. The hackers were in and the race was on … but it wasn’t a race I could win. While I was going through the Facebook process for securing my account and changing my password, the hackers did two things that have now made it impossible for me to log back in.

First, a long-defunct email address that I must have listed somewhere in the bowels of my Facebook settings was re-registered and all of my other email addresses were deleted. Everything now points to an address only the hackers have access to. The default recovery—sending a code to your email address—is now useless.

Second, they activated two-factor authentication. This is supposed to increase the security of a system because you need to enter a code in addition to your password. The problem occurs when, again, it points away from the account owner and to the hackers instead.

I found myself in the centre of a perfect storm of my own lax security, with hackers who had engaged in the digital equivalent of pouring glue in a lock.

“But surely,” you’re thinking, “Facebook must have a way around this!” After all, extinct email accounts, hackers, and not taking online security as seriously as we should is practically old hat by now. And Facebook is a multi-gazillion dollar company: they must have solutions, right?

And you’re not wrong: they do have systems in place.

One option seemed to be an automatic ID reader: you enter an email address you still have access to and hold up an ID to your webcam. Seems simple enough … but I tried several different forms of ID, including my passport, and every message I received said:

We can’t give you access to this account or help with your request until we receive an accepted form of ID that matches the information listed on the account.

The other choice is sending in a photograph of ID. I assumed this would be checked by an actual person and  I would be back in within a few days (or a few weeks at most—after all, this occurred just before Christmas). Dozens of ID photographs later and I still haven’t heard anything.

I took to Twitter to complain, but I discovered that using words like “Facebook”, “account”, and “hacked” in the same tweet brought with it a new problem: random accounts messaged me promising to fix the issue. It felt as sleazy as being hacked in the first place.

I investigated the problem via Facebook’s help section and discovered that the misuse of two-factor authentication in this way was not uncommon. Indeed, there are multiple threads about the exact same issue, with the exact same lack of response. The only person who seems to have found a solution is Christopher, who commented that he was able to get control of his account back only after he bought an Oculus VR device and needed to register it. But it’s not all doom and gloom: I can see that I have over a hundred notifications on the account at the moment, indicating that the hackers have been kicked out too.

Over the past month, I’ve read a lot about how you can try to get your account back after it’s been hacked, but I wanted to share a few thoughts about how to try to prevent this from happening in the first place.

First, please remember that hacking by strangers isn’t personal: it’s simply about gathering as much information as possible that can be sold on in bulk (here’s an example about Depop published just this week). For many of us, Facebook has been a part of our lives for years; in my case, probably close to fifteen. Over that time, we leave a lot of nuggets of information lying around that can be valuable to those who trade in it. Credit card used to donate to a friend’s birthday collection? Or perhaps running Facebook ads? Or maybe we just use the same password to log into Facebook as we do for other accounts? It’s all useful to someone.

Because it’s not personal, you can’t predict whether you may or may not be a target. Instead, it’s best to proactively keep an eye on your data.

  • Are your account details up to date? Remove old email addresses from your account. In particular, I recommend avoiding anything from the provider Mail.com. I originally left them over a decade ago as I found my account was getting increasingly spammy, and the fact that they allow old accounts to be re-registered by anyone is a big security issue. And, in case you’re wondering, I did contact them to try to regain control of the ancient email account: no luck.
  • Set trusted contacts: I sort of thought I had done this, but apparently not (or perhaps removed by the hackers?). As the name implies, trusted contacts are people that you trust who are given codes that you can use to get back into your account if you get locked out.
  • Turn on two-factor authentication: If you have not already done so, activate two-factor authentication using your own details. It seems like such a hassle to have to enter a code in addition to your password, but, trust me, being locked out of your account is a bigger headache!
  • Get recovery codes: You can also get a series of codes that can be used if you don’t have access to your phone.
  • Set trusted people as admins if you run Facebook groups: I am very fortunate that I do not rely on social media for my business, but I do run a handful of Facebook groups. I’m the only administrator, so this means that I have lost control of them for the time being. Whether you run a group or page for your business, community organisation, or something else, set up another admin or two so you can continue to post and engage with your audience.
  • Go through security settings (and change passwords!) on a regular basis: I think this is something we all know we should do, but often don’t. With so much of our lives spent online—especially now since face-to-face events are more or less cancelled—it’s important to make sure that we’ve done everything in our power to keep us connected.

So, what happens next? In theory, I could set up a new Facebook account, but, quite frankly, I don’t have the energy: I feel my time could be better spent on so many other things. So, for the time being, if you want to get in touch, please drop me a line via email.

Can you help? Please feel free to share and amplify this message to prevent others from falling foul of the same fate. Or do you know someone who works at Facebook, or perhaps it’s the friend of a friend? Social networks exist in real life too after all—any help in getting Facebook’s attention so I can recover the account is much appreciated! I did try reaching out to them through a few different methods to get feedback for this post, but like with the help threads and passport photographs, no response has been forthcoming.

Don’t forget to cast your vote: if you’re interested in listening to something that combines travel, nature, and history, check out a potential podcast I’m looking into launching. Just tick the box and hit submit if this is just your cup of tea. 

Off the Beaten Track Wiltshire

Explore the UK from wherever you are! Get notified when each new blog post is published and receive a free eBook as a bonus:

Follow:
Share:

12 Comments

  1. Anna
    March 24, 2021 / 11:06 am

    Hello!

    Just reaching out as the same thing has just happened to me a couple of days ago! It’s super distressing, and this morning they seem to be trying to get into my instagram account too. When does it end!

    How did you get the option of holding ID up to a webcam? All I’ve found is that form that you can submit a photo of your ID on- of course, I’ve had no reply. I’m also in the UK, not sure if that makes a difference in contacting them?

    I was just wondering if you ever got a reply from facebook/ managed to get back in? Like you, I have about a decade of photos on there, and also just feel really uncomfortable that a hacker still has access to my account!

    It’s reassuring to read that it’s not personal. Of course, it just feels horrible intrusive.
    x

    • March 24, 2021 / 11:28 am

      I’m so sorry this has happened to you too, Anna. I’ve just responded to you via email.

      • Taylor
        April 9, 2021 / 4:28 pm

        Hi there! The same thing happened to me and I am STRUGGLING. I run multiple facebook accounts for my clients through my personal account and am at a complete loss. If you have found a solution, please do share!

        • April 9, 2021 / 5:23 pm

          I’m so sorry to hear that you’re dealing with this too, but I’m afraid I don’t have a quick solution for it. I’ve just emailed you some more information.

  2. Andrew Rurak
    March 27, 2021 / 3:16 pm

    Did you end up regaining access? I am having the exact same issue. I am unable to even submit ID as my account is been flagged as a spammer. Very frustrating.

    • March 27, 2021 / 3:38 pm

      I’m afraid I haven’t been able to regain access yet, Andrew, but I have just sent you some information. I’m sorry to hear that you’re dealing with this problem too.

  3. Racheed
    April 7, 2021 / 2:53 am

    The exact same thing happened to me on March 25th and I’ve been trying since to regain access to my Facebook but no response. I’ve sent them my ID and filled out the form at least 10 times and still no response. Have you had any success getting back access?

    • April 7, 2021 / 11:33 am

      I’m afraid I haven’t been able to gain access yet, but I have just emailed you with more information.

  4. Liza
    April 9, 2021 / 7:34 am

    there is definitely wide attack going on, I was caught on 4th April, and so far nothing from facebook other than they have now locked my account. Driving me insane as the 2FA “more help” page seems broken too.

    Looks like you’re still stuck too.

    • April 9, 2021 / 5:25 pm

      Yep, still off Facebook due to the two-factor authentication activation and there’s been no response to any of the ID photos/scans I’ve sent it. In speaking with tech people I know, they say that Facebook intentionally makes it hard to get in touch with a real person and that the only solutions they can think of are: 1) find someone who works at Facebook, or 2) kick up a media fuss. I’ve been trying to do both without much luck yet!

  5. Jennifer Smith
    April 9, 2021 / 6:16 pm

    Hello!
    Have you come across any solution to this yet? I’ve been dealing with it now for two weeks. I am starting to lose hope. It is beyond frustrating.

    • April 9, 2021 / 6:20 pm

      I’m afraid I haven’t had any luck getting to the bottom of this despite dozens of ID photos/scans sent to Facebook. I have just emailed you with further details.

Leave a Reply

Your email address will not be published. Required fields are marked *

MissElaineous Travel Blog: Escape, Explore, Discover, Enjoy