Facebook Account Takeover Hack, but Meta Does the Most Damage

On February 24th, 2022, the same day that Russia invaded the Ukraine, my Facebook account was the target of a successful Account Takeover attack. In the 30 minutes it took for me to respond to the attack and get the account locked, the hacker/s exploited Facebook’s own tools to successfully lock me out of my account. As of the time of writing this post, 4 days remain before Meta permanently deletes my Facebook account, an account that I have built over the course of more than a decade. It will be a loss that I will not soon forget – or forgive. But it’s the lack of any accessible human intervention or assistance from Meta/Facebook that is doing the most damage.

How did they do it?

Simply put, the attacker/s exploited Facebook’s “forgot password” feature. When someone forgets their password (usually because they’re not using a password manager), they can request that a password reset link be sent to their email address. For some of us, there is more than one email address associated with the account. In my case, I had added an email address to my account to verify ownership of a domain so that I could regain control of a client’s Facebook business page.

It was using this email address that the attacker/s were able to exploit the forgot password feature and gain access to the account, and they did it by taking the expired domain name and registering it themselves so they could receive the email to reset the password.

Timing was also key here, as I had, coincidentally, relaxed my FB account security in order to help try to address harassments my significant other was experiencing on FB (another issue that Facebook was not addressing).

Once in the account, they deleted the other email addresses, and began engaging in whatever nefarious activity they chose to pursue, including running advertisements using my Facebook Advertising account.

Now, since I don’t allow people to discover me using my email addresses, I am left to wonder – what kind of OSINT activity was used to gather the email addresses that were on my account in the first place? My best guess – Cambridge Analytica.

30 minute response time

From the first email requesting the password be changed to the moment when I was able to get Facebook to lock the account as having been hacked, only 30 minutes took place. But in that 30 minutes, a lot of damage was done.

Since I do know people from the Ukraine, and since this all happened during the first day of Russia’s invasion of the Ukraine, I have to believe that Russian hackers are the most likely source of the attack; though, it would be next to impossible to prove this without some kind of cooperation from Facebook/Meta – and there seems to be little or no interest on Meta’s part to help in any way.

Of course, it is a little more sophisticated. Emails from Facebook during the Account Takeover show that an iPhone was used to change the password via an IP address belonging to Comcast/Xfinity in Portland, Oregon.

My response

Within the first 30 minutes of the attack, I reported the attack to Facebook, and they responded that the account had been locked pending verification. I then had to proceed through a reset password using previous passwords, but, since the email address I actually use had been removed, I had to take the added step of providing a copy of my ID. It took about 2 days for Facebook to verify the account and change the primary email address back to what it should have been.

But, when I logged in, I was greeted with a message that my account had been suspended due to posts or comments that didn’t follow Facebook’s Community Standards. My only option was to request a review – which I did.

Meanwhile, I also reached out to GoDaddy, the domain registrar that had been used to register the domain and use it for the hack, and notified them of the activity. They asked for evidence to support my claim, which I sent them, and they responded swiftly, revoking the domain name registration for whoever had just registered it within just 48 hours.

I also notified Xfinity/Comcast, who confirmed that one of their IP addresses had been used in the attack and they opened a case – I haven’t heard back.

Then, a few days later, on March 1st I received another notice from security@facebookmail.com that my account may have been accessed and I was required to change the password, which I did. Upon logging in, the message remained that the account has been disabled and a “Review requested.”

I have also tried submitting evidence of the hack via a Facebook help page, but the submission was rejected. If I login, as suggested by the error message and return to https://www.facebook.com/help/103873106370583/ and click the link to “use this form to request a review” it just takes me to the page that says the account is suspended and that a review has been requested. It is at this point that words reminiscent of the immortal George Carlin come to mind – What Review?!!!!

On March 6th I received a message from PayPal that my payment to Facebook Ads had been successfully processed – only, I hadn’t authorized any advertisements. So, I started a dispute through PayPal – but that required waiting months for a response from Facebook. That left me with only one option – I contacted my bank. When they learned of the attack, they took swift action – disputing the charge with PayPal, who did then (based on this information from the bank) refund the money. The bank then shut down the account and I had to open a new one.

I also filed with both the FBI and the FTC, detailing the attack, and sent emails to every Facebook/Meta support resource I can find, including paypal.ads3@fb.com, disabled@fb.com, support@fb.com and via Twitter. In response I have heard … nothing.

It is worth noting that there is no evidence that Facebook/Meta is doing anything. Logging into the FB account says that a review has been requested, logging out says that time is running out to request a review. So, is anything happening at all? Probably not. Even tagging Meta’s head of security policy does nothing to draw attention to this problem.

Oh let the bots come rolling in

In case you’re wondering what happens when you reach out on Twitter for support, let me tell you – the bots. Oh, my, the bots. “Did your account get hacked? Try this hacker security something or rather and they’ll get your hack back.”

Now, even if there are legitimate companies out there who could, potentially, help someone regain access to their account – it shouldn’t be necessary. And the absence of any meaningful response from Facebook/Meta to Account Takeovers like this means that even more unscrupulous players swoop in, like botfly laden mosquitoes, ready to pounce on people who have already been the victim of an attack.

The prevalence of these predators is entirely Facebook/Meta’s fault. They could fix this, by simply making sure that victims get live, human responses instead of relying on incomplete and/or broken AI.

What will be lost

So much will be lost if Facebook does nothing to help with this (and I have no reason to believe they will). Along with communication I have had with people via messenger, and all the contacts that I have made over the course of a decade, which includes personal, business and political connections, there are also the pages of friends and family who have died. Anything I had been tagged in over the years, the long history of that FB account, so many events that I helped run over the years, all will be lost to the etherverse. So, too, will my business FB page (which has also been disabled as a result of this attack), group memberships, including groups I managed (like an Autism Dads and Men’s group). Fortunately, it looks like my Oculus purchases might be safe, since Meta backed off on that requirement, but I was concerned about that, too. Some of this loss won’t be tragic, others, will be harder to handle. I already miss my Grandmother. Losing access to the FB messages we sent back and forth will definitely be something hard to forgive.

The Data Protection Agency

I’m not the only person to complain about the lack of any kind of access to a real human at Facebook to deal with these problems. And, while I have been reluctant to join the oversight party, having looked at Facebook’s terms of service and the limited amount of responsibility that they choose to take for themselves, I have to say that this experience has pushed me to support the movement for a Data Protection Agency in the U.S. Among the other proposed elements of this legislation, it would require companies like Facebook to disclose hacks and breaches, and would prevent accounts from being deleted during the course of an investigation. As the hour grows closer for my account to be deleted, not by the hackers, but by Facebook for failing to address the actions of the hackers, I definitely see the appeal of such legislation.