Two Factor Hack
Facebook and Automated Customer Service
Take a stroll through Reddit’s r/facebook and you will begin to see a theme emerging: “I’ve been hacked, my account has been disabled, and I can’t get back in”. Any forum for a service is bound to have countless posts asking for help and having issues. And admittedly when it happened to me , I thought, “well I’m just seeing what I’m looking for”. But when so many people reported problems with two factor authentication, something that is supposed to make our accounts more secure, I started to see that there is a specific loophole currently being exploited in Facebook’s security system.
Even for the daily user, it’s worth taking stock of what a Facebook account holds and what any user could suddenly lose access too. Let’s start with the obvious, posts and pictures. Posts are, well, just text and something that we can probably live without. For pictures, it could pose a bigger problem but then we’re quick to remember that those photos are also on our phone. Or are they?
That’s when I started to think about just how old my Facebook account is, about fifteen years at this point. Many photos of mine don’t exist on any other device and I’m sure I’m not the only one. And then I think of messages. The thought of losing old embarrassing messages could be a relief to some. But what about messages between those who are no longer with us? These conversations are locked, out there in the internet, little pieces of those we love and can no longer speak to.
Being locked out of Facebook has more than just personal consequences. For me, I’m the only admin of a group of 600+ members. I have a business account and Facebook Ads Manager account. I run several different pages in which I am the only owner.
This is just scratching the surface of our “possessions” on Facebook. And you may be thinking, “Yeah, we know. This is nothing new.” And in some cases, that may be true. But this is not just about what we could potentially lose access to on our social media accounts. This is not even strictly about hacking. This is about a specific increasingly common situation and how Facebook is handling it. Let’s dive in.
It starts like this, you get an email stating that your password has been changed. Facebook provides the IP address and location of where the change occurred and you note that it is not where you were at the time stated. For me, it happened to be only a few miles from where I lived, increasing the confusion. In reality, someone just used a VPN.
So you go to Facebook and your old password doesn’t work. O.K. weird, but you can request a new one. Except you can’t. All your contact info has been changed. Your email and phone number have been removed and your account has been deactivated. Any requests to update the password are going to go to the hacker’s email. The last emails that you’ll get from Facebook are that random people have been added as managers to your business account and may have immediately started spending money on your credit card for ads.
Facebook does have a process to recover the account but unfortunately it is deeply flawed. You’re able to attach the account to a different email of yours by sending in a picture of your driver’s license or some other form of ID. Depending on what device you use, Facebook may force you to take a picture instead of uploading it. If that’s the case than it will automatically take a picture that is too blurry to be used and you’ll get an email saying it wasn’t accepted. So you have to start the process over on a device that will let you upload a picture.
Once uploaded and sent, you will have to wait up to 48 hours to have the new email assigned to the account so that you can change the password and get in. That can be a long time in the business world. But hey, in most cases this will work and in two days you go back to reset the password and it has your email attached to the account. Only it still has the hacker’s censored email address attached so they will be aware of any password changes and even get the access codes to do so. But you at least now have access to the code and you can click it and update the password. So that’s a success. Until you login in with said new password.
The clincher is that the hacker has enabled two-factor authentication, something you many not have even been aware that Facebook has. And remember, your phone is no longer attached to the account. The hacker has also removed all trusted devices so there’s no where to login. There is no where to get your dual authentication. This is the dead end that so many have experienced.
There is no one to talk to at Facebook. All the customer service is automated, and the system is not aware of this issue. Any human would be able to realize that an account has been hacked and belongs to the person in all the pictures who has provided several forms of ID; the algorithms do not. A human would be able to see that your email address and phone number were the same for a decade or more and now have suspiciously been changed.
You can try blasting Facebook on Twitter but all you will get are bots who tell you they “know someone who can help”, a further scam. There is not a chat feature in Facebook’s support. There are forums but no one will answer or you will get a canned response to follow the process which has already lead to the two factor dead end.
Some have said that they have recovered their accounts by emailing security@facebookmail.com. Some have been able to chat with actual humans if they run an ad for a business page or own an Oculus product of some kind.
But by and large you’re just stuck. And if you follow Facebook’s advice, then you’re just done. They suggest not creating a new account. And if you do it could be the reason that you never get access to the old one. To add to that, the fact that your account is disabled and you can’t login means you lose access to additional support features like posting in Facebook’s help forums or the live chat that may or may not exist for paying business customers.
This is a rising issue for Facebook users. It may not be happening to a large population, yet, but, it can happen to anyone. If you haven’t set up two factor yet, do it now. Save those recovery codes in several places. There’s a feature where you can trust friends to help you recover your account, seek that out as well. If you manage pages, groups, or businesses, you should share access with someone you trust. Otherwise you can wind up in this situation in a blink of an eye.
For me, I haven’t had access since May 31st, 2021 or 24 days and counting. For others it’s been months. This is just one situation and hacker strategy that results in a dead end. There will inevitably be more scam’s that take advantage of an automated security system. Now combined with automated customer service, that only increases the chances of people finding themselves in a customer service road block.
Users should be aware of the current loopholes being exploited in the Facebook system. This specific issue could be a huge problem for those who rely on Facebook for business, community leadership, and more. I hope for all users’ sake, Facebook will address this issue can find a way to resolve or at the very least, respond to these types of issues faster. Until then, users on the help forums will be waiting.
If this situation has affected you or someone you know, please reach out and share your story in the comments or use #facebooktwofactor and #facebookhacked so we can bring this issue to light.