TL;DR

My Facebook got hacked when I tried to help a friend. Do not make this mistake. Do not send codes or money. Your friend’s account is hacked. You are about to fall victim and your friends will be next. My advice to users and designers including the gory details of my story.

Permalink: https://ilonaposner.com/how-my-facebook-got-hacked/

January 3, 2024

Table of Contents

TL;DR

Introduction

The Hacking and Hijacking

Recovering My Hacked Facebook Account

Advice on How to Avoid Account Hijacking

What Users Can Do to Avoid Their Facebook Accounts Being Hacked

What Designers Are Currently Doing to Limit Hacking of Accounts

What Designers Can Do Better to Limit Hacking of Accounts

Hacked Friends’ Experiences

Conclusion

Acknowledgements

Introduction

I have been working in technology for 25+ years as a User Experience Consultant while also teaching User Experience Design at the University of Toronto. Despite all my experience, my Facebook account was hacked. Now I’m writing this article so that you can learn from my experience and avoid it. In my job, I advise clients and students how to make their technology systems easier to use. During my career I have witnessed advances of many new technologies, but the speed and reach of social media in becoming an essential application has been remarkable. The power to connect people has fueled social media’s astronomic growth. Facebook has led the social media wave reaching nearly three-billion monthly active users.

I have been using Facebook since 2007. Recently, I’d been hearing concerning news that many Facebook accounts in my network were being hacked and hijacked. The concept of Facebook hacks wasn’t new to me. I had fallen victim to one myself in 2015, when in an instant, I lost an account that I had used over a decade, with 1000+ contacts and dozens of community group memberships, in several of these groups I was the only moderator. Ever since that experience, I’ve tried to be on high alert to avoid such a disaster from happening again.

But these days, hacking and hijacking no longer take the form that once made a fool of me. Nor how it is often still featured in films, with a group of criminal masterminds writing code to break through advanced encryptions. Today, it is done through social-engineering. These modern-day crooks conduct their nefarious activities by manipulating human emotions and empathy. And the most frightening part of all is that they’re no longer your long-lost cousin—who so happens to be a wealthy Nigerian prince—who is trying to get you. Now, they could look and sound like your actual cousin.

Facebook has become a fertile ground for empathy targeting social hacker attacks. Accounts get hijacked, and are then used to prey on the victims’ network of Facebook friends. These hackers masquerade as your Facebook friend—your co-worker, your neighbor, or even your own family member— and approach you to ask for cash or other favors, knowing you’re more likely to respond to someone you care about than some unknown stranger from across the world.

With the rapid development of modern technology, there are endless ways they can accomplish this: The requests can come via Facebook Messenger, texts to your personal number, or even in the form of Deep-Fake videos impersonating the account holder in a one-to-one video call!

With all of this technology so easily accessible to anyone with questionable morals and an internet connection, it was only a matter of time until their methods became advanced enough to even trick someone who should know better.

Someone like me.

The Hacking and Hijacking

These types of social-engineering hackings often occur when we are not being very vigilant, when we are tired, or in a hurry. The hackers know the psychological tricks and apply them skillfully to gain advantage.

I was traveling to attend a busy weekend event with a group of friends in Lausanne, Switzerland.

I checked my Facebook Messenger App and found a message from my American friend Joe (not his real name).

13:53 Joe: “Can you do me a favor”

18:21 Me: “Like what?” I responded some hours later.

18:22 “Please I was trying to login in my Facebook page on new phone and they ask me to find someone to help me receive a code, Facebook gave me two friends suggestions and you are one of them, the other person isn’t online. will you Help me receive the code please (sad face emoji)?”

If I hadn’t been in a loud and busy place, I might have noticed the erratic grammar and punctuation—or lack thereof— in the request. Reviewing it now, you can easily tell that it was copy and pasted together.

18:36 Me: “Now. Yes”

18:37 Joe: “Send me the code sent to your Facebook notification now”

Much later, I saw a Facebook Notification sent 18:37, “Tap to see the login code you requested from another device.” But at this time, it had not yet arrived due to network delays.

18:39 “What code. No code yet?!” I responded.

18:39 ‘Joe’ sent me a screenshot of the Notifications page from their Facebook App with a caption “Check here”

I noticed familiar names and groups on that image. This hacker was communicating from the real Joe’s Facebook account to gain my trust.

Much later, I noticed the lack of niceties in the subsequent messages, there were no more please and no thank you. In the heat-of-the-moment, I did not notice this change in tone!

18:41 Me: “Nothing yet”

Much later, I saw a Facebook Notification timed 18:42, “Tap to see the login code you requested from another device.” But before I could see it, ‘Joe’ pressed on.

18:42 Joe: “Send me your cell phone number”

18:43 Me: “I’m abroad in Europe now. I have a different Sim. I have WhatsApp access. My phone does not get SMS codes”

I tried to explain my situation, in hopes that Joe might look for assistance elsewhere.

18:43 Joe: “What’s your email?”

18:44 Me: (my email address)

Then, there was a 6-minute pause in the hacker’s messages. During this pause ‘Joe’ was probably trying to login into my Facebook to reset the password. They probably noticed a mismatch between my Facebook account profile and the one connected to the real Joe’s profile, since I have two different Facebooks with different emails. Or they noticed that the exposed parts of the recovery email address did not match the email address that I had shared.

18:51 Joe: “This is link to your Facebook?”

I immediately realized and corrected my mistake, to help my friend Joe.

18:52 Me: “No I think (my other email)”

Much later, I saw 4-separate Facebook Notification all sent at 18:52, “Tap to see the login code you requested from another device.” I might have been tipped off by the hacker’s impatience demonstrated by 4-separate notifications sent in one minute. But these notifications were delayed in network traffic, so I could not see these them yet.

In order to check my other email, I needed to login to a webmail client in a browser. To do this I needed to switch my SIM card because only my home SIM would receive the security code for two-factor-authentication (2FA). While traveling, I use a different SIM to avoid roaming fees.

Switching SIMs was quite an ordeal, requiring many steps in multiple places to change settings, frequencies, profiles, and networks. But I reminded myself that I was doing it to help my friend Joe get into his Facebook account. Now, 40 minutes into this task, the sunk-costs were pushing me forward.

18:56 Joe: “Did you get it”

18:57 Me: “No I need to switch sims to get the code to login to that email…”

18:58 Joe: “Check your Facebook Notification. It’s sent there”

18:58 Facebook Notification: “Your login code is 123 456”
I did not read the remaining text on the page in barely legible tiny greyscale font:
“Enter this code on the device where you’re trying to log in. Don’t share it with anyone else.”

Between my hurrying to answer Joe and the light grey font, I missed the important warning. Instead, I took a screenshot of Facebook Notification login code message and sent it.

18:59 Joe: “Send me the new code sent to your email now”

Much later, I discovered an email message stating that at 18:59 my Facebook password was reset Near Philadelphia, United States, using iPhone 14 Pro Max. iOS.

This was the moment when ‘Joe’ hijacked my account.

But it did not end there. The social-engineering conversation continued for 12 more minutes. Why? My theory is that either, ‘Joe’ was new at this and unaware that my account was already hijacked, or the rest of the exchange was a distraction to stall me from discovering this fact, interfering with the hijacking, and regaining my access.

19:01 Me: “What is your WhatsApp number?”

Stressed by this extended exchange, I wanted to talk to Joe. I wanted to switch channels to WhatsApp for added security of the voice communication. Unfortunately, I did not wait for the reply. Instead, with my guard down, I went to find the new code that Joe had requested.

I switched SIMs and got my text code from my Home SIM and entered it into the browser at 19:04 to access my other email. There the second Security Code Message awaited me. It read,

18:59 Facebook email Subject “Your Facebook Security Code 12345678
Hi Ilona your security code is: 12345678 To help us confirm your identity on Facebook, we need to verify your email address. Paste this code into your browser. It can only be used once. If you didn’t request a code, someone may be trying to access your account. To make sure your account is secure you can change your password.”

After skimming, not really reading the email, I was confused.

“Verify your email address?” Was I not helping Joe with his Facebook, why do I need to verify my email?
“Paste code into browser,” Which browser? Where in the browser to paste?
“Change password,” But I didn’t want to change my password at this moment.

In my confusion and frustration from trying to help Joe for the past 45 minutes.
I took a screenshot of the last Facebook email. Then at 19:08, I sent the screenshot of the email with the Second Security code message to Joe.

19:10 Joe: “Check the new code”

19:10 Facebook email was sent with a new Security code to my other email.

19:11 Joe initiated a Video call, which I noticed only much later.

This whole time, while I was struggling for nearly one hour, a friend was sitting beside me watching quietly. I explained that I was trying to help my friend access his Facebook on his new phone and I had to send him a code sent to me by Facebook.

My quiet friend asked,

19:10 “What if you’re not sending the code to help your friend, but are actually sending a code to let someone break into YOUR FACEBOOK ACCOUNT INSTEAD!?”

At this moment I awoke out of my techno-dazed-state to sounds of ALARM BELLS clanging loudly inside my skull. Sweat began pouring down my back, and my brain started screaming:

“Oh No! Of Course! I have been HACKED! How could I be so STUPID! I should know better! How can I expect my parents to avoid these traps if I fell in myself!”

Recovering My Hacked Facebook Account

From the point when I realized that my account was hacked and hijacked, I was faced with a virtual endless cycle of troubleshooting, confirming my identity, in attempts to restore my account. I’ve included the details here for those who might be curious about the flow, or who may be going through the same experience:

19:16 Facebook email Subject: Someone may have accessed your account
“Hi Ilona, it looks like someone may have accessed your Facebook account. To secure your account, you’ll need to answer a few questions and change your password the next time you go to Facebook. For your protection, no one can see you on Facebook until you secure your account. Thanks, The Facebook Security Team.”

I clicked the link which directed me back to Facebook where I encountered the following instructions,

“We’ll walk you through a few steps to help confirm your identity, please provide the following information.
Step 1: Enter an email address We’ll use this address to send you messages about recovering your account.
Step 2: Upload your ID We’ll use your official ID to help confirm who you are. It won’t be shared on your profile. [Next]”

I did not want to give Facebook my official ID, so I did not press [Next]. Instead, I tried to look for other ways to get my account back. When I tried to login again into my account, I encountered the login page with a big red banner at the top which read,

19:24 Facebook Login Page Banner “Facebook is down for required maintenance right now, but you should be able to get back on within a few minutes. In the meantime, read more about why you’re seeing this message. Thanks for your patience as we improve the site.”

I asked a nearby friend to see if Facebook was really “Down for Required Maintenance” at this message was claiming. It was working perfectly fine for my friend. So perhaps, this was a temporary delay by Facebook to protect my account from further interference? Hard to say.

I kept trying different paths at this point. Then, somehow a glimmer of hope appeared in the next email,

19:30 Facebook email Subject: 123456 is your Facebook account recovery code
“Hi Ilona, We received a request to reset your Facebook password. Enter the following password reset code: 123456 Alternatively, you can directly change your password. [Change password] button.
Didn’t request this change? If you didn’t request a new password, let us know.”

I followed this path and was able to change password, which was confirmed by the next email. Or was it?!

19:31 Facebook email Subject: Did you reset your password?
“Hi Ilona, This is to let you know that your password was just reset. About this change Saturday, November 25m 2023 at 1:31 PM (EST). Near Roubaix, France, iPhone 8 Plus, iOS. If this was you, you don’t need to do anything. Thanks, The Facebook Security Team”

Was this me? I was not certain.

I recognized the phone model iPhone 8 Plus. But the location was unknown to me. I was in Lausanne Switzerland, where was Roubaix, France? Was someone else trying to hack my Facebook account from France? Or did Facebook just have the location wrong? Was this my own doing, my latest password change but with the wrong address on it?

The above email was missed initially because it appeared as a second message in an email thread beneath the earlier password reset from Philadelphia message from 18:59.

At this point, my quiet friend suggested that I would be better to use my computer for such important interactions. I might be able to avoid clicking bad links easier on a browser on a computer rather than a phone. I followed this good advice.

Upon my return to my computer in my hotel, I tried launching Facebook again. The Error message read,

22:51 mobile.facebook.com Error message
“Oops Can’t perform the action you requested. Try again later. [OK]”

I could see my Facebook profile from another Facebook account, but any time I tried to click into the profile I encountered the above error message. My account was in limbo state, I guessed.

The remainder of that weekend I was unable to access my account, which contained information that was fundamental to my travels.

On Sunday morning I wrote a pleading WhatsApp message to a friend who works at Meta / Facebook. I explained my predicament and begged for help. Sunday afternoon I received a reply asking for some account details and a promise to escalate my case to the special Meta support for friends and family.

Monday morning, November 27, I noticed two email messages from Saturday, November 25 that I had not seen previously:

20:14 Google – Critical Security Alert – Someone tried to change how you sign-in

21:32 Facebook Email – Your email confirmation code 123456… Use this code to verify your email address on Facebook.

From the first email I realized that the hacker had tried to access my email account after first hijacking my Facebook account. Or rather after failing to hijack my Facebook account, because it seemed I was able to change password and secure my account following its hijacking.

From the second email I was able to verify my email address on Facebook!

When I entered Facebook Monday morning, I saw this message:

09:52 “Ilona, your account has been locked We saw unusual activity on your account. This may mean that someone has used your account without your knowledge.
Account Locked November 25, 2023 To protect you, your profile is not visible to people on Facebook and you can’t use your account.

We’ll talk you through some steps to unlock your account. [Get started]”

I wanted to know exactly what time my account was locked, but that information was not available. For 7 minutes, I slowly followed a sequence of Facebook’s step-by-step instructions:

09:52 “Next steps to unlock your account
( • ) Account confirmed
( ) Secure your login details Check all the emails and phone numbers on your account. You can add new ones or remove any old or unfamiliar ones.
( ) Your account will be unlocked [NEXT].”I clicked the [NEXT] button.

09:53 “Secure your login details The phone number or email on your account may have been added by someone else or used by them to log in.
Because this is the only phone number of email on your account, you can’t remove it here. For your security, we recommend you change it to something different in Account Settings when you are back on Facebook. [NEXT]”

09:53 “You’ve unlocked your account You’ve secured your login details and can use Facebook again.
Review recent activity TIP: We can help you review recent activity to make sure your account is still the way you want it: Recent posts & comments, Friends added recently, Recent logins. [Review recent activity][Back to Facebook]”

09:54 “Hi Ilona, let’s secure your account
To help keep your Facebook account secure, we’ll take you through a few steps to change your password and make sure any recent changes to your account came from you [Get Started]”

09:56 “Keep your account secure
It looks like some changes were made to your account. Now we’ll help you look at recent changes and turn on extra security.
1) Pages you liked or followed 2) People you added or followed 3) Posts 4) Comments
[Continue]” …

09:56 “People you added or followed If you didn’t add these people or follow their profiles yourself, you can remove them now. Select all (20) … followed by a list of names of people I added in the last few days.”

09:58 “Check your recent posts Please delete any recent posts that you don’t want on Facebook. Select all (3) … followed by list of pictures I added in recent days with their captions.”

09:59 “Check recent comments Please delete any recent comments that you don’t want on Facebook. Select all (10) … followed by a list of my recent comments.”

09:59 “All done! Thanks for taking the time to secure your account.
1) Pages you liked or followed 2)People you added or followed 3) Posts 4) Comments
[Go to News Feed]”

With a huge relief and after visiting my Facebook newsfeed, I tried to open Facebook Messenger, which gave me the “Oops” error messages earlier. Messenger welcomed me back!

10:01 “Continue as MyFacebookProfileName You’ll get notification dots letting you know other accounts have received messages, but you’ll need to sign in to see the actual messages. [OK]”

I cannot describe my happiness when I finally got my Facebook back, and knowing that it wasn’t permanently hijacked to be used for unsavory purposes, or even just lost forever. I was even happy to see the Messenger conversation with ‘Joe’ with the final prompt,

19:11 “Missed video call Tap to call back” – I did not call back.

Advice on How to Avoid Account Hijacking

I wrote this post-mortem in order to help others avoid the same hassle that I had to go through. This section lists my suggestions for users and designers.

What Users Can Do to Avoid Their Facebook Accounts Being Hacked

Be wary of requests for favours from friends and acquaintances
Never share codes!
Confirm the validity of any unusual requests using multiple communication channels
Go slow, especially if tired or rushed. Read the system messages slowly and carefully. Special requests can usually wait for your help
Download personal information periodically in case your account is hijacked, it is easier to restart from your curated list of friends and groups than from memory. See the help page “Download a copy of your information on Facebook” https://www.facebook.com/help/212802592074644
Check Activity tracker periodically to ensure no-one is using your account without your knowledge. “Find your Facebook activity log” https://www.facebook.com/help/289066827791446

What Designers Are Currently Doing to Limit Hacking of Accounts

Communicate with users Many different notifications are sent to many different channels, especially new login notifications sent to backup emails and texts.
Security enhancements Two-Factor-Authentication using multiple devices adds protection to online access.
Reset password alternate paths are provided to forgetful users, such as:
1. using my Google account,
2. send code via email,
3. send code via SMS,
4. send code via Facebook notification if logged in on another app or device, or
5. remember password to login.
  See help page “Change or reset your Facebook password” https://www.facebook.com/help/213395615347144
Activity tracking enables users to review recent transactions on their accounts in order to identify any unfamiliar or foreign activities. See help page “Find your Facebook activity log” https://www.facebook.com/help/289066827791446
Provide alternative paths Users are being trained to be wary of clicking buttons in emails as this may lead to dangerous phishing sites. So thoughtful designers provide alternatives in form of readable links that can be manually entered into a browser, in addition to standard [Call-to-Action Buttons].
Support Account Recovery Facebook locked my account on Nov 25. With Wi-Fi access, I was able to recover my account on Monday November 27 starting at 9:52 AM. Only 7 minutes later, I was confident having checked all my previous account activities.

What Designers Can Do Better to Limit Hacking of Accounts

Don’t cry wolf! Notifications-fatigue is leading users to ignore important messages from their devices, services, and apps. Designers need to separate critical communications from casual updates or promotional messaging and allow separate notification settings for each type of message in each different channel.
Effective warning messages Important warnings should be hard to skip. Users don’t read, they skim text and click links following the ‘scent of information’. Designers need to understand users’ context and stress level and address those appropriately. Calls-to-action should be informative and complete, and reasonable alternatives should be provided that are timely and that users can understand.
Provide accurate information The location of my password change was in Switzerland not in France as reported by Facebook. This accuracy error led to confusion and doubt.
Visible warning messages Use high contrasting colors to ensure that users do not miss the critical points in the warning.
Backup users’ data I had no backups of my Facebook account information, my friends list, groups, events, etc. This important information is irreplaceable in case of account hijacking. It is possible to download personal data from Facebook manually. This was the first thing I did after my account was restored. This information would allow new account restoration if hijacking was irreversible. It would be better to have this automated, similar to automatic backups of important work-in-progress documents.
Link related apps together App-switching is difficult for users. Facebook has Messenger alerts appear inside the Facebook app and both apps are tied together with a single login, making switching back and forth painless. During my Facebook hijacking, I had to spend significant time app-switching. I had to receive security codes sent to my two SIMs, to get emails from different accounts, across different communication channels, and using different login information. Supporting easier app-switching between different apps and systems would be helpful to the experience, although this may be challenging due to security concerns.
Digital product boundaries Many digital solutions are comprised of multiple products. These digital products’ boundaries are invisible to anyone outside the products’ organization. Meta’s products such as Facebook, Messenger, Ads, Instagram are all separate products, developed, maintained, and supported by different teams. However, users have very different perspectives of their digital products. Users see the products as inter-connected or more often as a single solution. So, my friend who was able to recover her Facebook account and review recent activities, was not alerted to the fact that her Facebook Ads account was hacked. Her Facebook Ads’ contacts and payment methods were changed. Correcting this demanded significantly more time and effort from the user. Agile product development cycle makes this type of situation worse; because it supports the release of minimal-viable-products to users. Some minimal products provide insufficient users experiences.
Support users in times of need We can take a note from Apple as an example here: I recently called from inside my Apple Support app which has all the information regarding my Apple devices built in and updated via all my Apple ID purchases. The Apple support staff are extremely knowledgeable, helpful, and patient! They give users an option to not have their call recorded. They give callers the option to pick a choice of music to listen to while on-hold, including a silent option. The support associate can easily view users’ device screens during the call and point with a large red arrow to different parts of the interface while they assist users with navigation. Having a live support for Facebook would be valuable. I could even see paying for a service that would help recover my social connections.
Give users control ‘Users’ Control and Freedom’ is the first of the well-established Usability Heuristics. Users gain confidence when they learn to control their systems. Cloud services such as Facebook take control away from users with constant updates and changes of functionality. These changes make users loose context and may lead to accidental security breaches and increased hijackings.

Hacked Friends’ Experiences

I shared a draft of this article with some friends, three of them had their Facebooks hacked. They responded with some additional details that may benefit others.

One techie had his friends scammed into sending money following pleas from his hacked account:

“There are 3 friends that I know of who were scammed from my hijacked account. They each paid between $450 – $500. I paid two of them back the money they lost to the scammer. So, while losing control of the account is one thing but having your friends lost money due to the hijacking is another thing. Might be something you can include in your article, the reason why the account was hacked is so the scammer can trick your friends into “loaning” you money which they will never get back.”

Another friend had her account hacked. She made the mistake of clicking on a link in a Phishing message sent to her business Facebook Page which collected her login credentials. The hackers used this to gain access to her Instagram account that was connected to her Facebook. Her hacked Instagram was used to post unwanted ads which violated guidelines and blocked it. Then, in desperation she tried Meta Verified service which charged her $18/month to speak to a live support person but led to another dead end. Her efforts to unlock her accounts were fruitless until a friend working at Meta, was able to escalate her case through backend-support.

Next, the same poor friend lost her Facebook again when her Facebook Ad profile was seized by hackers. Her Facebook Ad account initiated an aggressive advertising campaign for a Chinese-based online vendor. She received notifications and invoices for the Facebook Ads she had no knowledge of. She had to send multiple proofs including ID’s, selfies, and Passport to Facebook Advertising Support team. All her accounts were blocked. Eventually she regained access to her Facebook account. But her Facebook Ads account remained blocked, even though Meta issued her some bonus coupons to pay for future Ads which she is not very keen to use. She lost many work-days trying to untangle this.

Yet, another friend has been fighting to recover her account for several weeks,

“I was tried when that happened and lost vigilance, when I realized it just a few minutes later it was already too late. From that point on it was a race, I briefly regained access but they overtook it again so the was that. I’ve been fighting it ever since! …

I wanted to share a few words about my own “recovery”: no sooner do I think I am making progress, i.e. having successfully removed their email accounts, having uploaded my selfie and waiting for the, fingers crossed, successful resolution I go to bed only to wake up to Facebook emails that someone changed my info again and I am again unable to log in with my email. This has happened many times over, I feel like I am in an endless loop of hopes and disappointments! And being that the last one was on the New Year’s Eve, I woke up to new messages and phone calls of friends being hacked.

They now use the photo of the host they hack and make it into a fuzzy video, making believe that the person who is trying to log back in has connectivity issue and thus can’t log in. But friends said to me “you called me, it was a video of you!

I Googled Facebook phone numbers and a few listed were just a recording with a useless tip of a website. But one answered, I was so relieved and grateful for help! Only to be scammed even more and worse. I am ashamed of being taken for a ride but as we both know, they ARE skillful in what they do!

I hate fb with a passion now, more so than ever! It’s a catch 22, trying to get back in. I would have happily left it although but I’m connected to so many friends all over the world that it’s a shame not to be able to be in touch!”

Conclusion

During and after my recovery, I was able to visit the Facebook profile of my friend Joe. To see his face smiling at me, with his 946 friends (119 mutual). I wondered how many of his friends were as careless as I was, and fell for the same scam and had their Facebook accounts hijacked.

After reading my friends’ stories, perhaps you are thinking, Ilona was lucky, her account was only down for a couple of days, and Facebook was fairly quick in seeing the unusual activity and locking the account. But when I add up the wasted time, the stress, and the worries about losing data and having my friends affected, then it was a costly experience for me. And it is painful, in retrospect, for me to remember that I was communicating with a scammer, believing him to be my friend.

I hope that you can learn from my experience and that of my hacked friends. Stay safe and happy communicating on social media with your real friends.

Acknowledgements

I want to thank Facebook/Meta for making it possible for me to connect to 1000’s of friends around the world. I want to thank my friends who helped me during and after this incident. I also owe a debt of gratitude to those who read an early version of this article and gave valuable feedback, especially Serena Posner, Mark Chignell, and Mun Kew Leong.