A rash of small businesses on Facebook found their accounts locked after being hacked. And it’s impossible to contact Meta to get the problem fixed.
A trickle of reports have turned into a flood. Meanwhile, businesses, charities and non-profits are losing revenue, while Facebook fails to deliver. Online self-service flows are broken, Meta support follows useless scripts and promised callbacks never materialize.
The moral of the story? Don’t neglect the tooling to support users — even if the service is “free.” In this week’s Secure Software Blogwatch, we are the product.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Vandalizing old email.
Facebook farce
What’s the craic? Tatum Hunter reports — “The long, lonely wait to recover a hacked Facebook”:
“Not much appears to have changed”
Lucretia Groce … got kicked out of her account. Someone had posted abusive content from her page. … Her account had been hacked. Groce said she cried for hours.
…
How, without access to her personal account, could she recover the business page she had worked hard to grow? [She] estimates she has lost $18,000 in income after waiting for months for her account to be unlocked. … Her old videos were still making money … but none of that money was appearing in her bank account.
…
Her frustrating experience is not unique. [I’ve] received hundreds of emails from people locked out of their Facebook accounts … Many lose their accounts to hackers, who take over Facebook pages to resell them or to game search-engine rankings. … Despite reporting revenue of more than $27 billion in the third quarter … Meta is a multinational technology giant without real customer support.
…
The company says 40,000 [people] are devoted to safety and security efforts. … Last year [it said] it was working on new processes to solve these problems. A year later, not much appears to have changed.
That sounds like a big ball of suck. Here’s treborhclew’s experience:
“This is a disaster”
My startup company's Facebook account was … "permanently suspended" shortly after creating a Facebook Business Ad Account. I don't have a personal Facebook, so I was required to create one; I did so using my company email and then made a Business Ad Account.
…
I was able to lift the suspension on my personal account by uploading a photocopy of my ID. However, the suspension on the company's Facebook account is still active. Automated emails from Facebook say to expect a response in 48 hours, but I have been waiting to hear back for a week.
…
And, if that wasn't enough of a headache, I have a signed agreement with the local news to advertise my company/product towards the end of November. This is a disaster.
How does this work? Ashley Belanger explains — “Meta keeps booting small-business owners for being hacked”:
“Resulted in financial losses”
[This] has happened to seemingly dozens of individuals and small-business owners: … A hacker gains access to a Meta account, then adds their account to the business owner’s ad account before removing the original account owner. At that point, the hacker has taken over the ad account completely. Then, the hacker moves quickly to knock the original user off Meta before they notice.
…
To do this, the hacker posts inappropriate content like pornography, which quickly prompts Meta content moderators to disable the original account. Once an account is disabled … many business owners [said] attempts to appeal Meta’s decisions are repeatedly rejected.
…
This scam is likely a tricky one for Meta because hackers gain access to accounts using emails the company believes have been compromised, making account reinstatement still risky. … And while the ad payments would ordinarily be disabled when the account is disabled, the hackers deleting the original accounts as a manager means those ad accounts remain active and exploitable. [This] has resulted in financial losses for many small-business owners, and Meta knows about it.
Anything else? u/Rymbra has been on the receiving end, so to speak:
[They] hit up your friends/2nd degree associates for money. They’ll review how you speak/your mannerisms since they have access to your DM history and will message them with an emergency so the urgency clouds judgment.
…
One of my friends is an indie musician in another state I collab with sometimes. The hacker got control of his Instagram and they hit me up on IG messenger as him asking to borrow like $50 for medicine for his aunt and he’d pay me back next day. … Someone else that is only cool with him online might’ve fell for it.
Because you are the product? Fatesrider brings tough love:
“Facebook will throw any user under the bus”
As much as I get how awful this is for someone trying to make a living online, relying on social media … to continue/maintain the business is pretty much a suicidal move.
…
I get that Facebook could be less absolutist in how they handle instances of infractions … but she wasn't their customer. She was their commodity. They literally have no incentive at all to continue keeping her as a user.
…
She presumes she has importance of some kind to Facebook when, in fact, she has almost none. … I feel for her, but Facebook will throw any user under the bus and not feel one iota of remorse.
So how is Meta’s support flow working? Not well, says u/No-Fox3243:
“Like a bad joke”
Firstly, Meta will remove your existing compromised emails and send you a password reset link against the new, never used on FB before, email you supply them. If you are like me … you will go straight to settings and add your phone number, and a back up email, knowing how precarious having one email only in there is. This will get you locked right out again.
The only way to get back in, is pass the equivalent of the squid games. From a list of about 10, totally out of context comments, you need to pick which 4, were made by you. If you fail that (and I allege that it's flawed as I picked 4 I know I made) then … 3 friends need to verify your identity through a link FB will send them.
…
I'll just pick my family who are right here in the room. No, no you won't: You will pick 3 from a list of 10 generated by Facebook. Then you need to call or text them, convince them it's you, and get them to click the suspicious looking FB link. … Of that 10, 7 are acquaintances from sport, one's your grandma with Alzheimer's, and you don't even know who 2 are, let alone have contact details for.
…
And now you are ****ed. … It's like a bad joke.
Catch 22? close closes the book: [You’re fired—Ed.]
Facebook makes it so you need an account to report and block fraudulent activity? Isn't this actively enabling a crime if you don't give the victim the quickest possible way to report it at least?
Meanwhile, how about contacting a friend of a friend who works for Facebook? Spatzmania illustrated the oint in that flyment:
When hired, every Facebook employee is warned that the accessing another's Facebook account … is recorded and closely monitored and that accessing an account without the owner's explicit permission is a first-time firing offense. The warning (and the fact you'll be fired for it) is repeated at the time of access too.
And Finally:
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Icons8.com (via Unsplash; leveled and cropped)
Keep learning
- Find the best building blocks for your next app with RL's Spectra Assure Community, where you can quickly search the latest safe packages on npm, PyPI and RubyGems.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.