I’m quite cyber-security aware. I have a Computer Science degree and run a web development agency. I manage hundreds of websites for clients. All of my logins are unique 20 character logins generated using the Keeper password manager. I have 2FA activated on all significant accounts. I don’t share passwords. I know what a phishing email looks like and receive emails almost daily from clients asking “is this email a scam?”. I’m generally quite careful in this area. Even so, despite these efforts my Facebook account has been hacked – and now disabled – and a) I can’t fully work out how it happened b) there’s no way of getting in touch with any one at Facebook c) my Facebook ad account is still running, apparently being used fraudulently (I’ve received 2 bills in 24 hours for 16 times my daily budget) and there’s no way to access the account to turn this off (this seems like a bit of a flaw, wouldn’t you agree?)
As addressing this problem has already taken several hours and already feels like banging my head against a brickwall, I thought it would be interesting to document the process.
I receive a Facebook 2FA notifications at 5:37am this morning
These emails are not sent unless there has been a successful login to the account so I already knew my password had been compromised. Two factor Authentication (2FA) is the failsafe against this so I wasn’t overly worried. A text message with a code sent to my phone was required as an additional login factor, and as the phone was with me that should protect me.
I received a second 2FA notification at 12:26pm so I thought I’d better check all was well
I logged into my account and changed and scrambled my password. I then logged into the security centre and notified Facebook of the unauthorised activity. This prompted a flurry of forced password changes initiated by Facebook.
Unusual Facebook activity
Whilst at the park with the kids I received two emails from Facebook. One authorising One-Click and another, 35 minutes later, providing a Facebook recovery code. I didn’t notice these until later
At 4pm I tried to log into my Facebook account. I was sent a 2FA notification and I was forced to change my password on login. On login I was immediately redirected to an account suspended screen due to “violating Community Standards”.
It seems that this is a well known hack, reported in multiple news outlets such as this Australian article from October 2021: Hackers using child exploitation images to disable people’s Facebook accounts
I have requested a review. The problem is the review appears to be for the content illegally shared, not for the hack. There doesn’t appear to be anyway around this and trying to contact someone at Facebook appears to be impossible
So How Did This Happen?
I’m still not sure. the 2FA should have protected me, I had a strong scrambled unique password. My phone is still working so I don’t think this is SIM Spoofing. I need to know from Facebook how a hacker was able to bypass 2FA. There is no evidence of malware on my phone.
Implication for Facebook Ads
My Facebook Ads account is still running, still charging me and I am unable to access it. I have been charged 16x my daily budget in the last 24 hours
I have appealed to Paypal on this. As the hacker appears to be using my existing Facebook DD agreement I suspect the appeal will be denied.
*Edit – the Paypal appeal has indeed been denied
So I’m not sure where this is going. I’ve had the account since September 2006 and it documents the births of my children and their growing up, meeting my wife, our wedding, house moves, successes and failures and life together. I use it to keep in touch with my friends and family around the World and chat to people daily. It feels quite brutal to have that all just wiped out. It feels a bit like having my house ransacked by a burglar and then being evicted because of the mess.
I also have Facebook messenger forms on my business websites which are still active and I can’t access. I have ads running that I am being charged for that I can’t access. I have no expectation that I’m getting access back
So my first thought is that Facebook is a REALLY REALLY BAD place to manage life and business. Even if I do get the account back, I will be making changes to dramatically reduce reliance on this channel. To been thrown off with no clear recourse to appeal due to a known, publicised and clear hack makes it an incredibly unpredictable and unstable channel to manage life upon, the equivalent of building a house on the side of a Volcano.
I’ll continue to document the process here.