The Hacker Who Tried to Bury My Digital Memories

It began on May 1 with an email saying a request had been made to change my Facebook password.

I hadn't made that request.

More of these emails followed in quick succession, a few minutes apart. It was like being in labor, but instead of me birthing a baby, a hacker was spawning fraudulent access into my thoughts, locations, photos, and feelings. 

With every email I got, I clicked on the blue square that said "This wasn't me." But that didn't relieve these troublesome pains.

Instead, an email was delivered that said Facebook had detected a suspicious login near Seattle - 2,400 miles away from where I sat. 



To increase security, I have two-factor authentication (2FA) on my account - with every login, a code is sent to my cell phone that also has to be entered to access my information. But somehow the fraudulent login didn't trigger a code, and the 2FA didn't prevent the hacker from getting in. 

So I requested a security code from Facebook, got into my account, verified some things, changed the password, and thought that was the end. 

A few hours later, it happened again. 

I reset my password again and regained control of my account, but the hackers were persistent. They got back into my account again within just a few minutes.

Although I could log in with my reset password, I couldn't get past the second step of authentication - I could see that the hackers had changed my 2FA to a phone number I didn't recognize. 

And I had requested new access codes so many times, Facebook told me I couldn't have any more. 

No codes for you.

Facebook disabled my personal account on May 1. 

Much has been said about the negative effects of social media. For me, a stay-at-home mom and work-from-home employee, the internet is my primary channel of communicating with my friends and extended family. It's my daily reflections and source for connections. It's my personal repository and also my paid job.

I couldn't get into my own account, I couldn't get into this blog's account, and I also couldn't do a large part of my day-to-day work: managing social media posts and purchasing ads for my employer. 

I was infuriated at the betrayal. Despite fortifications, my wall of privacy had been blown wide open and strangers were walking around with muddy boots in my personal life. I also worried about being able to effectively do my job. Now, Facebook was blocking me from fixing it.

Figuring the company would be more interested in their lost revenue than my lost access, first I tried reaching out for help through my employer's ad account. 

Back and forth we went. The ads team would tell me this wasn't an ads problem, and I would say it is an ads problem if I can't buy ads because I can't log in, and they'd send me a useless link to reset my password, and I'd tell them it didn't work, and the ads team would tell me to log in and create a new service ticket, and I would say I can't log in, and the ads team would say that wasn't an ads problem. 

Round and round we circled this particular level of hell for five days. Eventually they stopped responding altogether, but I still raged. 


So I searched the forum site Reddit and found some generic email addresses for the trillion-dollar company with no customer service phone number. I started an email campaign, reaching out to any department I could - privacy, ads, support, info, appeals - screaming into the void roughly situated in Menlo Park, California. Every six hours or so, I'd send another email asking for help. No one responded. 

Then I attempted to get at the company from a privacy and data access angle, since they were denying me access to my information as required by federal law. But laws are no big whoop, apparently, and the privacy team said this wasn't their problem.

Closed but not solved

Furious, I followed any link I could find to confirm my identity, report my account as hacked, and reset my credentials. Nothing worked. Everything was circular, taking me back to something I had already tried but made no difference.

On May 4, I received an email from Facebook saying they (finally) suspected my account was hacked. After going through some steps, I was briefly able to recover access. Immediately I changed my password for the fourth time and reset the 2FA again so it was linked to an app on my phone.

I scanned my desktop computer with two separate security programs, and my phone as well. No virus, no trojan app recording my keystrokes was detected. It was secure.

I thought surely this was going to solve it. 

Again I was wrong.

The hackers got in once more - this unusual login alert was from Vietnam. Again I reset my password, this time from my laptop computer, just in case there was a deeply hidden virus or hack on my desktop computer. 

I was logged in for all of 25 hours before the fraudulent requests to reset my password began anew. I repeatedly told the company it wasn't me, again. Facebook shut down my account again on May 5. Mexico was celebrating freedom from oppression on that day, but I was not. I was sinking into despair.

On May 6, I continued to receive frustrating emails in response to someone requesting a password change. I continued to respond that this wasn't me. Then I got an email reminding me, as though I had simply forgotten (silly me), to unlock my locked account - complete with a link, heretofore hidden amid the depths of the internet, which let me do so. 

But within minutes of receiving that email and trying yet once more to reactivate access, I got another unusual login alert. This one pinged to my location, but it wasn't me. The hackers had changed tactics, somehow bypassed the 2FA app requirement, and now also worked digital magic to make it appear I was logging in when I wasn't able to.

Once more I tried changing the password, but the hackers had changed the 2FA from my app to yet another, different phone number that I didn't recognize. 

Although my account was visible, I was completely shut out while the hacker was on the inside, and Facebook didn't have any solutions. In fact, at one point they told me I had reactivated my account and secured it, even though I was telling them I could not access it. 


Spoiler: it was not secure


On May 6 and 7, the hacker attempted to run Facebook ads via my account, trying to use the credit card on file for my employer. I received multiple email messages telling me that if I wanted to advertise on Facebook, I needed to provide verification of my payment method. 

With each email, I went a little more insane - why was no one listening to me? Why did no one care about this horrible invasion of my privacy and financial security? I responded to every email by saying my account had been hacked, and these ads were being fraudulently placed, and I can't get into my account to fix any of it, so help me god. 

Because the hacker couldn't verify credit card information, Facebook turned off my ability to buy ads citing suspicious activity. Once again my account was entirely shut down for suspicion of being compromised. I had passed angry a few passwords back, and now I was approaching apoplectic. 

In other news, we canceled the company credit card - which had also reported potentially suspicious activity - on May 7. So no matter what the hacker tried to buy ads or anything else, it would no longer work.

Because I purchase ads for my employer on Facebook as well as Instagram - both owned by Meta - I was again able reach the Meta business help center (this time through Instagram) on May 8 and speak to an actual person. Not a series of ones and zeroes, but a person who I hoped would understand and take action to help me. 

My hopes were quickly vaporized.

Basically, she said, if I had followed all links and instructions to no avail, then there was nothing Facebook could do to unlock its own protections and boot the hacker...unless I "had access to a Meta representative." 

"Aren't you a Meta representative?" I demanded.

"No," she told me. 

"Does Meta sign your paychecks? If so, then you are a Meta representative."

"I can't answer that question," she responded.

You see, she meant a Meta account representative, which are doled out at Meta's discretion to high-volume ad purchasers and accounts with millions of followers to influence. 

In other words, my business account didn't spend enough money on Facebook to merit customer service help. 

"I've given you all the information I can," she said over and over.

In strong language, I told her how egregious this was - that they offer no solution to hacking despite having designed the platform themselves, that they deny help to paying customers, that they are violating laws to data access, that in a company of more than 67,000 employees she refused to let me speak to someone with more authority. 

Instead, she told me to create a new personal account and abandon the old one. 

After hanging up I cried bitterly, for hours, until my eyelids swelled up and snot ran from my nose. I was inconsolable at the loss of 15 years of personal digital memories as well as 10 years of blog statuses. Posts about children's milestones, a long-running series of Things I Never Thought I'd Have to Say, thoughts about my late mother, annual anniversary wishes to my husband, random daily observations...all inaccessible because no one would help me. 

It felt like I was losing a huge chunk of my life all over again.

When I was 12, my family lost our house to foreclosure. The bank hired a trash company to remove anything we couldn't carry out. Sentimental stuffed animals collected since birth, my bronzed baby shoes, my Barbies, all of our family photo albums, my mother's wedding dress and photos, her collection of books, her typewriter - all buried beneath tons of dirt in a landfill. In just a few hours, proof of the first third of my life had been obliterated.

My sense of place and security was ripped from me again five years later when I was placed in foster care. I only took a few sad personal items with me.

Now, all the memories of the most recent third of my life were being buried - not under dirt, but behind a two-factor authentication created by a hacker and a mega-company that didn't want to invest the time or dollars to help people like me. 

I was being retraumatized, slapped in the face with my own helplessness. 

The memories I could lose.

And I wasn't the only one pushing a boulder up a hill.

An internet search for "hacked Facebook" yields literally thousands of people who have either been hacked or scammed into giving up their login credentials and can no longer access their accounts. They are begging for help - from Facebook, its parent company  Meta, "ethical hackers" on the internet, Reddit forums and YouTube comments, even for-profit companies created to help people regain access or remove photos from the internet. 

Just two months ago, a group of attorneys general from 41 states sent a letter to Meta warning that rates of people contacting them for help with Meta have skyrocketed: Vermont saw a 740 percent increase in reports of account takeovers. In North Carolina, it was 330 percent. In Illinois, more than 250 percent. And these are likely underestimated, since not everyone reports their issue to their state's attorney general. 

On May 8, I submitted a formal complaint to my state's attorney general, who had signed the letter to Meta. And I waited, hoping the office would help me by putting pressure on Meta as a business to solve this mess. 

In the meantime, I continued to plead fruitlessly with the team who had alerted me to the fraudulent ads. 

After I log in, they can help me log in.

Desperate, I grasped at any straws I could think of. I asked my (millionaire) employer if he knew anyone who could rescue me. I reached out tearily to a friend who is a lawyer. Through friends and family, I pled for help on social media channels. Nobody knew how to fix this or reach a real person at Facebook. 

I steeled myself for a long fight, thinking it could take many months to recover my account. But - unlike my childhood memorabilia - I continued to believe that this could be saved. The attorney general of California, as well as several news media outlets, had successfully restored select users' access when they questioned Facebook about why this was happening so frequently. 

In the midst of my heartache and worry, I held a tenuous grip on hope.

Quite suddenly, on May 10, an email landed in my in-box that said the phone number registered to the two-factor authentication on my account had been registered and confirmed for a different Facebook account. For security purposes, that wasn't allowed, so Facebook was removing that phone number - country code Vietnam - and I needed to reset the authentication method. 

After 10 days of run-around, confusion, anxiety, grief, and white-hot anger, it was the hacker himself who saved me - by hacking into someone else's account. 

With my heart thudding in my stomach and my hands shaking, I logged into Facebook using the link they had provided - and it worked. I changed my password for the sixth time. I reset my 2FA method for the second time.

And that's how I recovered my Facebook account. 

Then I immediately set to downloading all of my data - a gigabyte worth - in case I'm ever in this nightmarish position again.

The very next day, May 11 - Mother's Day, as if that day isn't fraught enough  - I received a new email that someone was requesting to change my password. And I got another notice on May 20. To my knowledge they did not hack in, and their attempts seem to be growing far-apart and futile.

But the effects of this incredibly stressful ordeal haven't ended. 

My fight-or-flight response is on overdrive. I tense up at every email notification and feel waves of anxiety when Facebook takes a second longer than usual to load. I struggle to relax or fall asleep, always on guard for threats. I'm holding on to everything a little too tightly. And my ads account, which wasn't restored until May 16 and is currently shut down again, is still showing conflicting messages of being restricted while also active. 

At least the hacker is no longer running his dirty hands across my thoughts or roadblocking my digital memories. Until I feel safe, that's what I'll hold on to, because trauma has a way of not letting go.





Comments

  1. Loved this post....your rightful upset shines through, as does your knowledge of technology and your determination to keep your data safe.

    ReplyDelete

Post a Comment