About the time hackers activated two-factor authentication on my Facebook account …

This is not a blog post about travel, history, nature, or tea, although, as always, a lot of tea was consumed in the composition of it. Instead, I hope this serves as a cautionary tale about how to potentially avoid the mistakes that have seen me locked out of Facebook for over a month. While I am all in favour of digital detoxes, this is not exactly what I had in mind!

It started in mid-December with an email from Facebook saying that someone was trying to reset my password. Simple question: is this you or not? I clicked the button for “not” and was told that I didn’t have to do anything else. Whew, that was close …

Except that a few hours later I received a similar message. Again, I clicked that it wasn’t me. But something had changed: I no longer had control of the account. The hackers were in and the race was on … but it wasn’t a race I could win. While I was going through the Facebook process for securing my account and changing my password, the hackers did two things that have now made it impossible for me to log back in.

First, a long-defunct email address that I must have listed somewhere in the bowels of my Facebook settings was re-registered. All of my other email addresses were deleted: everything now points to an address only the hackers have access to. The default recovery—sending a code to your email address—is now useless.

Second, they activated two-factor authentication. This is supposed to increase the security of a system because you need to enter a code in addition to your password. The problem occurs when, again, it points away from the account owner and to the hackers instead.

I found myself in the centre of a perfect storm of my own lax security, with hackers who had engaged in the digital equivalent of pouring glue in a lock.

“But surely,” you’re thinking, “Facebook must have a way around this!” After all, extinct email accounts, hackers, and not taking online security as seriously as we should is practically old hat by now. And Facebook is a multi-gazillion dollar company: they must have solutions, right?

And you’re not wrong: they do have systems in place.

One option seemed to be an automatic ID reader: you enter an email address you still have access to and hold up an ID to your webcam. Seems simple enough … but I tried several different forms of ID, including my passport, and every message I received said:

We can’t give you access to this account or help with your request until we receive an accepted form of ID that matches the information listed on the account.

The other choice is sending in a photograph of ID. I assumed this would be checked by an actual person and within a few days (or a few weeks at most—after all, this occurred just before Christmas), I would be back in. Dozens of ID photographs later and I still haven’t heard anything.

I took to Twitter to complain, but I discovered that using words like “Facebook”, “account”, and “hacked” in the same tweet brought with it a new problem: random accounts messaged me promising to fix the issue. It felt as sleazy as being hacked in the first place.

I investigated the problem via Facebook’s help section and discovered that the misuse of two-factor authentication in this way was not uncommon. Indeed, there are multiple threads about the exact same issue, with the exact same lack of response. The only person who seems to have found a solution is Christopher, who commented that he was able to get control of his account back only after he bought an Oculus VR device and needed to register it. But it’s not all doom and gloom: I can see that I have over a hundred notifications on the account at the moment, indicating that the hackers have been kicked out too.

Over the past month, I’ve read a lot about how you can try to get your account back after it’s been hacked, but I wanted to share a few thoughts about how to try to prevent this from happening in the first place.

First, please remember that hacking by strangers isn’t personal: it’s simply about gathering as much information as possible that can be sold on in bulk (here’s an example about Depop published just this week). For many of us, Facebook has been a part of our lives for years; in my case, probably close to fifteen. Over that time, we leave a lot of nuggets of information lying around that can be valuable to those who trade in it. Credit card used to donate to a friend’s birthday collection? Or perhaps running Facebook ads? Or maybe we just use the same password to log into Facebook as we do for other accounts? It’s all useful to someone.

Because it’s not personal, you can’t predict whether you may or may not be a target. Instead, it’s best to proactively keep an eye on your data.

  • Are your account details up to date? Remove old email addresses from your account. In particular, I recommend avoiding anything from the provider Mail.com. I originally left them over a decade ago as I found my account was getting increasingly spammy, and the fact that they allow old accounts to be re-registered by anyone is a big security issue. And, in case you’re wondering, I did contact them to try to regain control of the ancient email account: no luck.
  • Set trusted contacts: I sort of thought I had done this, but apparently not (or perhaps removed by the hackers?). As the name implies, trusted contacts are people that you trust who are given codes that you can use to get back into your account if you get locked out.
  • Turn on two-factor authentication: If you have not already done so, activate two-factor authentication using your own details. It seems like such a hassle to have to enter a code in addition to your password, but, trust me, being locked out of your account is a bigger headache!
  • Get recovery codes: You can also get a series of codes that can be used if you don’t have access to your phone.
  • Set trusted people as admins if you run Facebook groups: I am very fortunate that I do not rely on social media for my business, but I do run a handful of Facebook groups. I’m the only administrator, so this means that I have lost control of them for the time being. Whether you run a group or page for your business, community organisation, or something else, set up another admin or two so you can continue to post and engage with your audience.
  • Go through security settings (and change passwords!) on a regular basis: I think this is something we all know we should do, but often don’t. With so much of our lives spent online—especially now since face-to-face events are more or less cancelled—it’s important to make sure that we’ve done everything in our power to keep us connected.

So, what happens next? In theory, I could set up a new Facebook account, but, quite frankly, I don’t have the energy: I feel my time could be better spent on so many other things. So, for the time being, if you want to get in touch, please drop me a line via email.

Can you help? Please feel free to share and amplify this message to prevent others from falling foul of the same fate. Or do you know someone who works at Facebook, or perhaps it’s the friend of a friend? Social networks exist in real life too after all—any help in getting Facebook’s attention so I can recover the account is much appreciated! I did try reaching out to them through a few different methods to get feedback for this post, but like with the help threads and passport photographs, no response has been forthcoming.

Don’t forget to cast your vote: if you’re interested in listening to something that combines travel, nature, and history, check out a potential podcast I’m looking into launching. Just tick the box and hit submit if this is just your cup of tea. 

Off the Beaten Track Wiltshire

Explore the UK from wherever you are! Get notified when each new blog post is published and receive a free eBook as a bonus:


Leave a Reply

Your email address will not be published. Required fields are marked *

MissElaineous Travel Blog: Escape, Explore, Discover, Enjoy