UPDATE: If you are experiencing this issue—and it seems that a lot of people are—I’m afraid I have no quick or easy fix to recover your Facebook account. Click here for the update that shares what worked for me and others. Do you have a solution that’s not listed here? Let me know and I’ll add it to the post.
This is not a blog post about travel, history, nature, or tea, although, as always, a lot of tea was consumed in the composition of it. Instead, I hope this serves as a cautionary tale about how to potentially avoid the mistakes that have seen me locked out of Facebook for over a month. While I am all in favour of digital detoxes, this is not exactly what I had in mind!
It started in mid-December with an email from Facebook saying that someone was trying to reset my password. Simple question: is this you or not? I clicked the button for “not” and was told that I didn’t have to do anything else. Whew, that was close …
Except that a few hours later I received a similar message. Again, I clicked that it wasn’t me. But something had changed: I no longer had control of the account. The hackers were in and the race was on … but it wasn’t a race I could win. While I was going through the Facebook process for securing my account and changing my password, the hackers did two things that have now made it impossible for me to log back in.
First, a long-defunct email address that I must have listed somewhere in the bowels of my Facebook settings was re-registered and all of my other email addresses were deleted. Everything now points to an address only the hackers have access to. The default recovery—sending a code to your email address—is now useless.
Second, they activated two-factor authentication. This is supposed to increase the security of a system because you need to enter a code in addition to your password. The problem occurs when, again, it points away from the account owner and to the hackers instead.
I found myself in the centre of a perfect storm of my own lax security, with hackers who had engaged in the digital equivalent of pouring glue in a lock.
“But surely,” you’re thinking, “Facebook must have a way around this!” After all, extinct email accounts, hackers, and not taking online security as seriously as we should is practically old hat by now. And Facebook is a multi-gazillion dollar company: they must have solutions, right?
And you’re not wrong: they do have systems in place.
One option seemed to be an automatic ID reader: you enter an email address you still have access to and hold up an ID to your webcam. Seems simple enough … but I tried several different forms of ID, including my passport, and every message I received said:
We can’t give you access to this account or help with your request until we receive an accepted form of ID that matches the information listed on the account.
The other choice is sending in a photograph of ID. I assumed this would be checked by an actual person and I would be back in within a few days (or a few weeks at most—after all, this occurred just before Christmas). Dozens of ID photographs later and I still haven’t heard anything.
I took to Twitter to complain, but I discovered that using words like “Facebook”, “account”, and “hacked” in the same tweet brought with it a new problem: random accounts messaged me promising to fix the issue. It felt as sleazy as being hacked in the first place.
I investigated the problem via Facebook’s help section and discovered that the misuse of two-factor authentication in this way was not uncommon. Indeed, there are multiple threads about the exact same issue, with the exact same lack of response. The only person who seems to have found a solution is Christopher, who commented that he was able to get control of his account back only after he bought an Oculus VR device and needed to register it. But it’s not all doom and gloom: I can see that I have over a hundred notifications on the account at the moment, indicating that the hackers have been kicked out too.
Over the past month, I’ve read a lot about how you can try to get your account back after it’s been hacked, but I wanted to share a few thoughts about how to try to prevent this from happening in the first place.
First, please remember that hacking by strangers isn’t personal: it’s simply about gathering as much information as possible that can be sold on in bulk (here’s an example about Depop published just this week). For many of us, Facebook has been a part of our lives for years; in my case, probably close to fifteen. Over that time, we leave a lot of nuggets of information lying around that can be valuable to those who trade in it. Credit card used to donate to a friend’s birthday collection? Or perhaps running Facebook ads? Or maybe we just use the same password to log into Facebook as we do for other accounts? It’s all useful to someone.
Because it’s not personal, you can’t predict whether you may or may not be a target. Instead, it’s best to proactively keep an eye on your data.
- Are your account details up to date? Remove old email addresses from your account. In particular, I recommend avoiding anything from the provider Mail.com. I originally left them over a decade ago as I found my account was getting increasingly spammy, and the fact that they allow old accounts to be re-registered by anyone is a big security issue. And, in case you’re wondering, I did contact them to try to regain control of the ancient email account: no luck.
- Set trusted contacts: I sort of thought I had done this, but apparently not (or perhaps removed by the hackers?). As the name implies, trusted contacts are people that you trust who are given codes that you can use to get back into your account if you get locked out.
- Turn on two-factor authentication: If you have not already done so, activate two-factor authentication using your own details. It seems like such a hassle to have to enter a code in addition to your password, but, trust me, being locked out of your account is a bigger headache!
- Get recovery codes: You can also get a series of codes that can be used if you don’t have access to your phone.
- Set trusted people as admins if you run Facebook groups: I am very fortunate that I do not rely on social media for my business, but I do run a handful of Facebook groups. I’m the only administrator, so this means that I have lost control of them for the time being. Whether you run a group or page for your business, community organisation, or something else, set up another admin or two so you can continue to post and engage with your audience.
- Go through security settings (and change passwords!) on a regular basis: I think this is something we all know we should do, but often don’t. With so much of our lives spent online—especially now since face-to-face events are more or less cancelled—it’s important to make sure that we’ve done everything in our power to keep us connected.
So, what happens next? In theory, I could set up a new Facebook account, but, quite frankly, I don’t have the energy: I feel my time could be better spent on so many other things. So, for the time being, if you want to get in touch, please drop me a line via email.
PLEASE READ THE FOLLOWING SECTION BEFORE COMMENTING OR CONTACTING ME
I am always sorry to hear about people experiencing Facebook hacking and I completely understand your frustration, but I do not have any additional information beyond what is published here.
If you have a new solution that is not listed, I would be happy to publish it, but I cannot provide any technical assistance.
UPDATE APRIL 2021:
I always expected this Royal Wedding blog post to be my most popular, but instead this one has eclipsed it by some ways. I am sorry to hear that so many people are also dealing with Facebook’s two-factor authentication problem.
If you have not already done so, please make sure you report that your account has been hacked. A friend can do this for you by selecting the […] button from your profile then going to “Find support or report profile”. They should then be able to report it as hacked. You can also check out this website to see if any of the suggestions work for you.
I managed to get my account back after four months of going through the process of sending in my ID. I have no secret to recovering Facebook accounts, so there is no need to ask me to email you hidden information: I do not have any. I simply went through the recovery process every 7-10 days, selecting that I could not authorise using 2FA. This meant that I wasn’t blocked for spamming Facebook. You can probably fill out the forms more often, but it will block you if you do too many in one day.
Eventually, the automated ID reader popped up and actually read my ID properly. As I wrote in the original blog post, this initially did not work for me; I’m unsure why.
I also do not know what makes different forms pop up when you go through the recovery process. In my experience, most of the time it was a standard “attach your photo ID here” type of thing. This never worked for me, but some people have had success with it.
At present it seems like a lottery as to who is able to unlock their account and how long it takes to do so; it took me four months while others managed to get back into Facebook within a week.
It’s always great to hear from others who have recovered their account, and these are the suggestions that have been sent to me:
- Ordering an Oculus device: This was mentioned in the Facebook help threads, and several others have told me they had success with it. You can read more about this in the comments.
- Yet another form: I’ve heard from at least one person who lucked out with this one: https://www.facebook.com/help/contact/183000765122339
- Different forms of ID: This successful account unlocker isn’t sure what worked, but I think her suggestion to try a different type of ID may be worth doing:
I had to log-in through Google Chrome on my phone. When I got the Enter Code page, I clicked on “Having Trouble,” then “I don’t have my phone,” then “Contact Us.” From there, I had to enter my email address and submit ID. I had been submitting my driver’s license, but this time I submitted my marriage license. I don’t know if it was the strange form of identification that did the trick or what, but my ID was accepted and I was sent an email with the subject line “Thank you for submitting your ID.”
The first link in the email started the loop all over again, but the second paragraph gave me a code to enter instead. I FINALLY got through and confirmed my cell phone’s web browser as a recognized browser. When the next page loaded, it said my account was locked. I had to close the page I was on, re-login to Facebook on my phone browser and I was able to go through the process of unlocking my account, which involved identifying friends and removing the hacker’s email address.
- App Swap: One person recovered their account using the following steps:
- Desktop: I know a lot of people are having trouble even having their IDs accepted by Facebook, but if you have managed to get this far and are still having trouble, give this solution a try:
When you go through the process of sending a photo of your ID to be verified and you receive the email from Facebook confirming your ID is accepted with a link to reset your password, DO NOT CLICK THE LINK IN THE EMAIL!!!! Instead, follow the instructions further down in the email which says something along the lines of
‘Alternatively, type https://www.facebook.com into your browser and use the following code as your password: [code]
This WILL WORK EVEN IF 2FA IS ENABLED BY THE HACKER! It will ask you to confirm some of your Facebook friend’s profiles and then allow you to reset your password and remove the hacker’s email and telephone number and get back into your account, at which point you can turn off 2FA! Once you’ve done that you can log in through your mobile app again!
When you click the link in the email it takes you to the mobile Facebook site which seems to be the source of the issue, YOU NEED TO DO THIS FROM A DESKTOP!
I was locked out for almost a month and read this somewhere, tried it and it worked! Please try this method! I hope it helps some people out!
- Persistence … and a clear photo: This is similar to what worked for me (and also took four months), but I think Sara’s recommendation to make sure the image is as clear as possible is really important. Make sure you have plenty of natural light or try to reduce glare as much as possible. I doubt that a real person is looking at the ID, so the image has to be something a computer can easily read.
Best Option: https://m.facebook.com/login/identify
I have tried the following ways of uploading:
- With a mobile device, which you must have the id in front of you as it is a photo you must take.
- On a desktop, and I uploaded a photo file.
- On a laptop, using the webcam to recognize the id …. this eventually is what finally worked!! (preferred) You will need to finagle it so you can get a clear image, but be persistent. And if it is rejected once, send it again.
It took me from August until December
UPDATE APRIL 2022:
Based on the number of emails and comments I still receive about the Facebook two-factor authentication hack, here’s a quick summary of everything that is listed above:
- Make sure your account is reported as hacked: you can have a friend or family member do this for you.
- Check this site just in case one of the suggestions works for you: https://helpdeskgeek.com/how-to/how-to-recover-a-hacked-facebook-account/
- Please be aware that emails to Facebook are not read by a real person, but instead go through an automated system. Spamming the system will not help.
- I do not recommend using people who contact you through social media saying they can hack your account to recover it for you. They appear to be preying on desperation, and I would hate to see people lose money on top of being locked out of Facebook. If you wish to pay for account recovery, I would recommend trying a more legitimate source. The company Hacked.com advertises it has a 90% success rate at recovering Facebook accounts; it costs $329 for a personal Facebook account. Please note: I have not used them myself and cannot vouch for them.
- I have tried to get media attention about this problem for over a year without any success. If you know anyone in the media—print, digital, radio, TV, anything—who would be willing to publish something about Facebook’s two-factor authentication problem, please feel free to point them to this blog post.
- All of the solutions I have received are listed in the April 2021 update posted above; I do not have any information beyond what is shared here or in the comments:
- There is no one-size-fits-all solution to the 2FA problem: what works for one person may not work for another. While I hope everyone is able to recover their account, unfortunately I cannot guarantee any of these tips will work for you. It appears to be completely random as to who is able to get back in. All I can say is good luck and please keep trying.
- I am happy to publish your solution if you are able to unlock your account. This page gets a lot of spam through the comments, so it is best to contact me directly if you have something to share.
- Finally, a gentle reminder that this is a personal travel blog, and I run a business as an editor and instructor in higher education—I am not connected to Facebook in any way and cannot provide tech support.
PLEASE NOTE: I do not have any additional information beyond what is published here.
If you have any other ways of recovering a hacked Facebook account where 2FA has been enabled, please let me know and I will update this post.