UPDATE: If you are experiencing this issue—and it seems that a lot of people are—I’m afraid I have no quick or easy fix to recover your Facebook account. Click here for the update that shares what worked for me and others. Do you have a solution that’s not listed here? Let me know and I’ll add it to the post.
This is not a blog post about travel, history, nature, or tea, although, as always, a lot of tea was consumed in the composition of it. Instead, I hope this serves as a cautionary tale about how to potentially avoid the mistakes that have seen me locked out of Facebook for over a month. While I am all in favour of digital detoxes, this is not exactly what I had in mind!
It started in mid-December with an email from Facebook saying that someone was trying to reset my password. Simple question: is this you or not? I clicked the button for “not” and was told that I didn’t have to do anything else. Whew, that was close …
Except that a few hours later I received a similar message. Again, I clicked that it wasn’t me. But something had changed: I no longer had control of the account. The hackers were in and the race was on … but it wasn’t a race I could win. While I was going through the Facebook process for securing my account and changing my password, the hackers did two things that have now made it impossible for me to log back in.
First, a long-defunct email address that I must have listed somewhere in the bowels of my Facebook settings was re-registered and all of my other email addresses were deleted. Everything now points to an address only the hackers have access to. The default recovery—sending a code to your email address—is now useless.
Second, they activated two-factor authentication. This is supposed to increase the security of a system because you need to enter a code in addition to your password. The problem occurs when, again, it points away from the account owner and to the hackers instead.
I found myself in the centre of a perfect storm of my own lax security, with hackers who had engaged in the digital equivalent of pouring glue in a lock.
“But surely,” you’re thinking, “Facebook must have a way around this!” After all, extinct email accounts, hackers, and not taking online security as seriously as we should is practically old hat by now. And Facebook is a multi-gazillion dollar company: they must have solutions, right?
And you’re not wrong: they do have systems in place.
One option seemed to be an automatic ID reader: you enter an email address you still have access to and hold up an ID to your webcam. Seems simple enough … but I tried several different forms of ID, including my passport, and every message I received said:
We can’t give you access to this account or help with your request until we receive an accepted form of ID that matches the information listed on the account.
The other choice is sending in a photograph of ID. I assumed this would be checked by an actual person and I would be back in within a few days (or a few weeks at most—after all, this occurred just before Christmas). Dozens of ID photographs later and I still haven’t heard anything.
I took to Twitter to complain, but I discovered that using words like “Facebook”, “account”, and “hacked” in the same tweet brought with it a new problem: random accounts messaged me promising to fix the issue. It felt as sleazy as being hacked in the first place.
I investigated the problem via Facebook’s help section and discovered that the misuse of two-factor authentication in this way was not uncommon. Indeed, there are multiple threads about the exact same issue, with the exact same lack of response. The only person who seems to have found a solution is Christopher, who commented that he was able to get control of his account back only after he bought an Oculus VR device and needed to register it. But it’s not all doom and gloom: I can see that I have over a hundred notifications on the account at the moment, indicating that the hackers have been kicked out too.
Over the past month, I’ve read a lot about how you can try to get your account back after it’s been hacked, but I wanted to share a few thoughts about how to try to prevent this from happening in the first place.
First, please remember that hacking by strangers isn’t personal: it’s simply about gathering as much information as possible that can be sold on in bulk (here’s an example about Depop published just this week). For many of us, Facebook has been a part of our lives for years; in my case, probably close to fifteen. Over that time, we leave a lot of nuggets of information lying around that can be valuable to those who trade in it. Credit card used to donate to a friend’s birthday collection? Or perhaps running Facebook ads? Or maybe we just use the same password to log into Facebook as we do for other accounts? It’s all useful to someone.
Because it’s not personal, you can’t predict whether you may or may not be a target. Instead, it’s best to proactively keep an eye on your data.
- Are your account details up to date? Remove old email addresses from your account. In particular, I recommend avoiding anything from the provider Mail.com. I originally left them over a decade ago as I found my account was getting increasingly spammy, and the fact that they allow old accounts to be re-registered by anyone is a big security issue. And, in case you’re wondering, I did contact them to try to regain control of the ancient email account: no luck.
- Set trusted contacts: I sort of thought I had done this, but apparently not (or perhaps removed by the hackers?). As the name implies, trusted contacts are people that you trust who are given codes that you can use to get back into your account if you get locked out.
- Turn on two-factor authentication: If you have not already done so, activate two-factor authentication using your own details. It seems like such a hassle to have to enter a code in addition to your password, but, trust me, being locked out of your account is a bigger headache!
- Get recovery codes: You can also get a series of codes that can be used if you don’t have access to your phone.
- Set trusted people as admins if you run Facebook groups: I am very fortunate that I do not rely on social media for my business, but I do run a handful of Facebook groups. I’m the only administrator, so this means that I have lost control of them for the time being. Whether you run a group or page for your business, community organisation, or something else, set up another admin or two so you can continue to post and engage with your audience.
- Go through security settings (and change passwords!) on a regular basis: I think this is something we all know we should do, but often don’t. With so much of our lives spent online—especially now since face-to-face events are more or less cancelled—it’s important to make sure that we’ve done everything in our power to keep us connected.
So, what happens next? In theory, I could set up a new Facebook account, but, quite frankly, I don’t have the energy: I feel my time could be better spent on so many other things. So, for the time being, if you want to get in touch, please drop me a line via email.
UPDATE: PLEASE READ BEFORE COMMENTING
I always expected this Royal Wedding blog post to be my most popular, but instead this one has eclipsed it by some ways. I am sorry to hear that so many people are also dealing with Facebook’s two-factor authentication problem.
If you have not already done so, please make sure you report that your account has been hacked. A friend can do this for you by selecting the […] button from your profile then going to “Find support or report profile”. They should then be able to report it as hacked. You can also check out this website to see if any of the suggestions work for you.
I managed to get my account back after four months of going through the process of sending in my ID. I have no secret to recovering Facebook accounts, so there is no need to ask me to email you hidden information: I do not have any. I simply went through the recovery process every 7-10 days, selecting that I could not authorise using 2FA. This meant that I wasn’t blocked for spamming Facebook. You can probably fill out the forms more often, but it will block you if you do too many in one day.
Eventually, the automated ID reader popped up and actually read my ID properly. As I wrote in the original blog post, this initially did not work for me; I’m unsure why.
I also do not know what makes different forms pop up when you go through the recovery process. In my experience, most of the time it was a standard “attach your photo ID here” type of thing. This never worked for me, but some people have had success with it.
At present it seems like a lottery as to who is able to unlock their account and how long it takes to do so; it took me four months while others managed to get back into Facebook within a week.
It’s always great to hear from others who have recovered their account, and these are the suggestions that have been sent to me:
- Ordering an Oculus device: This was mentioned in the Facebook help threads, and several others have told me they had success with it. You can read more about this in the comments.
- Yet another form: I’ve heard from at least one person who lucked out with this one: https://www.facebook.com/help/contact/183000765122339
- Different forms of ID: This successful account unlocker isn’t sure what worked, but I think her suggestion to try a different type of ID may be worth doing:
I had to log-in through Google Chrome on my phone. When I got the Enter Code page, I clicked on “Having Trouble,” then “I don’t have my phone,” then “Contact Us.” From there, I had to enter my email address and submit ID. I had been submitting my driver’s license, but this time I submitted my marriage license. I don’t know if it was the strange form of identification that did the trick or what, but my ID was accepted and I was sent an email with the subject line “Thank you for submitting your ID.”
The first link in the email started the loop all over again, but the second paragraph gave me a code to enter instead. I FINALLY got through and confirmed my cell phone’s web browser as a recognized browser. When the next page loaded, it said my account was locked. I had to close the page I was on, re-login to Facebook on my phone browser and I was able to go through the process of unlocking my account, which involved identifying friends and removing the hacker’s email address.
- App Swap: One person recovered their account using the following steps:
- Desktop: I know a lot of people are having trouble even having their IDs accepted by Facebook, but if you have managed to get this far and are still having trouble, give this solution a try:
When you go through the process of sending a photo of your ID to be verified and you receive the email from Facebook confirming your ID is accepted with a link to reset your password, DO NOT CLICK THE LINK IN THE EMAIL!!!! Instead, follow the instructions further down in the email which says something along the lines of
‘Alternatively, type https://www.facebook.com into your browser and use the following code as your password: [code]
This WILL WORK EVEN IF 2FA IS ENABLED BY THE HACKER! It will ask you to confirm some of your Facebook friend’s profiles and then allow you to reset your password and remove the hacker’s email and telephone number and get back into your account, at which point you can turn off 2FA! Once you’ve done that you can log in through your mobile app again!
When you click the link in the email it takes you to the mobile Facebook site which seems to be the source of the issue, YOU NEED TO DO THIS FROM A DESKTOP!
I was locked out for almost a month and read this somewhere, tried it and it worked! Please try this method! I hope it helps some people out!
PLEASE NOTE: I do not have any additional information beyond what is published here.
If you have any other ways of recovering a hacked Facebook account where 2FA has been enabled, please let me know and I will update this post.