Victims are losing time, money and peace of mind. Facebook is doing next to nothing.
It all abruptly ended a year ago, when Groce got kicked out of her account. Someone had posted abusive content from her page, an email from Facebook said. When she tried to report the action as an error, Facebook showed her the offending post: A video of two children being forced to perform a sex act.
Her account had been hacked. Groce said she cried for hours. Why did the site show her something so horrible with no warning? And how, without access to her personal account, could she recover the business page she had worked hard to grow?
She had started the page after quitting her job as a home health aide at the start of the pandemic. After years producing multiple videos a week, she had grown the page to 17,000 followers. The extra income from ads in her videos allowed her to pay bills and stash aside some savings, she said.
Her frustrating experience is not unique. Help Desk, the personal technology section at The Washington Post, has received hundreds of emails from people locked out of their Facebook accounts with no idea how to get back in. Many lose their accounts to hackers, who take over Facebook pages to resell them or to game search-engine rankings.
In some cases, losing the account is an inconvenience. But in many others, it is a threat to the finances, relationships or well-being of the user. Groce, for instance, estimates she has lost $18,000 in income after waiting for months for her account to be unlocked.
“We have clients crying on Zoom calls, as they have lost their business and livelihood,” said Jonas Borchgrevink, founder of Hacked.com, which helps victims navigate the notoriously confusing process for recovering hacked Facebook accounts.
Facebook shot to global dominance by promising to be a central hub for our lives, introducing tools to help us run businesses, make payments and even keep track of loved ones during disasters. But once you hit a snag, like an account takeover, that support disappears, dozens of users say, leaving people to flounder in an automated system.
Despite reporting revenue of more than $27 billion in the third quarter, Facebook parent company Meta is a multinational technology giant without real customer support, users say. This month Meta announced it will lay off 11 percent of its workforce. It is unclear how these cuts will affect account security and customer support.
Last year Facebook told The Post it was working on new processes to solve these problems. A year later, not much appears to have changed. The company has no new initiatives for helping people recover their accounts.
According to a report in the Wall Street Journal last week, Meta has disciplined more than two dozen employees and contractors over the past year for illicitly accessing user accounts, in some cases accepting bribes to do so.
Meta has said it will continue taking action against such employee behavior. Identity Threat Resource Center, a nonprofit organization that helps people respond to hacks and identity theft, said reports of social media account takeovers increased 159 percent from 2021 to 2022. And Hacked.com said it has served more than twice as many customers this year compared to last.
“Over the past year, we have made significant progress in raising awareness of common threats across the internet that may lead to compromised accounts, improving our account recovery flows to support people that are locked out, and in helping them regain access to their account,” said Meta spokeswoman Gabby Curtis.
Hack victims say they cannot connect with customer support staff over the phone, and emailed responses from customer support are often rote and unhelpful. Some people upload sensitive personal information such as driver’s licenses only to hear nothing back.
Facebook told The Post last year that mandatory two-factor authentication or easier recovery would create more security problems than they would solve. But other firms do not seem to have the same problem, said ITRC chief executive Eva Velasquez.
Financial institutions, for instance, used to have much bigger problems with account takeovers before they implemented those basic security measures, she said. (You can turn on two-factor authentication in your account settings and choose a password you do not use anywhere else.)
ITRC fields hundreds of calls a year from people locked out of their Facebook and other online accounts, Velasquez said. Its call center workers are trained in responding to trauma because, for victims, hacks do not just feel exasperating, they feel violative. When Facebook users can’t get help, they turn to the ITRC or Federal Trade Commission, which collects complaints about online fraud. The FTC declined to provide to data on hacked social media accounts and any efforts to combat the problem.
“ITRC has become a de facto outsource for Facebook customer service because they simply do not have any,” Velasquez said, adding that Facebook keeps the money it generates while ignoring problems and leaves its problems for others to solve.
Hacks cost victims their time
Losing access to a Facebook or Instagram account takes seconds. Getting it back can take years. Aaron Elekes used his Facebook page to promote the radio shows recorded in the Las Vegas studio that he owns. After the 50-year-old fell for what he believes was a cyberattack called phishing and got locked out of his account in March 2019, he figured all he needed was a little tenacity. He estimates he spent more than 24 hours doing online research and searching for answers.
Eventually, he gave up and made a new account, but each attempt was flagged as suspicious and deleted. So he did what any reasonable person would do: He created a new account with the name and likeness of his cat, Yumyum.
He posted a message letting everyone know that he was not, in fact, a cat and started adding back his old connections. The new page did the job, but Elekes could not rest. The more he tried and failed to contact a real person at Facebook, the more frustrated he got, until one day he considered driving nine hours to its Menlo Park, Calif., headquarters and standing outside until someone would help him.
“I thought to myself, ‘What am I going to do when I get there? Are they going to be open?’ ” He ended up talking himself down. But it was not the last time he felt stung by getting locked out. When a childhood friend got cancer, Elekes missed the news because they had not connected on his new Facebook account. He never got to say goodbye.
Hacks cost victims their money
Facebook pitches itself as a place to connect with friends and family, but it is also a bustling marketplace. When small-business owners who use the platform to make money get locked out, they can lose their livelihoods.
Groce, who lost her cooking page in an apparent hack, said she spent months going in circles within the account recovery portal before giving up and starting a new page with zero followers. All the while, her old videos were still making money, according to invoices reviewed by The Post, but none of that money was appearing in her bank account. She still does not know if the hacker substituted their own bank information and made off with her ad revenue.
Many others use Facebook to run business pages, like social media manager Howard Baltus, who posted on behalf of dozens of small companies. In July, Baltus woke up to an email from Facebook: He had lost access to his personal page.
Then he saw the rest of the emails. Like dominoes, the first account takeover had allowed the hacker to snap up the business pages and delete the administrative access of the business owners. Not only was Howard losing access to the pages, so were his clients.
It was the start of a long battle that led nowhere, according to Baltus and his wife, Rose. Based on messages from Facebook customer service shared with The Post, Rose and Howard emailed with at least six different representatives over three months. While the hacker continued to charge ads to a credit card the Baltuses did not recognize, Howard and Rose repeatedly messaged customer support.
When Facebook representatives responded, they would tell the Baltuses to be patient and that the situation was under review. “Keep smiling!” read a response in September.
Finally, Facebook support came back with a ruling: “We have determined that there was sufficient evidence to suggest that the pages were compromised, however, given issues present in the business managers that current [sic] owns them, ownership over them cannot be transferred.” The email encouraged them to check out the Facebook Blueprint product, which offers free marketing courses.
Howard responded with an expletive-laden screed about the lack support for Facebook marketing clients. “You guys really suck at what you do,” he wrote. “We thank you for your understanding,” the representative replied. By that point, the Baltuses estimate they had lost around $20,000 in income.
Hacks cost victims peace of mind
As Facebook cast its net wider, with new features to capture more of our time and attention, the cost of losing an account grew, too. People now turn to Facebook for everything from organizing social gatherings to storing important memories.
Take Joyanna Livingston, a bookkeeper from Hillsboro, N.C., who said she felt lonely during the first year of the pandemic. So she started a private Facebook group for herself and other women to process what was happening. One or two she knew in real life and the rest were strangers, but they quickly bonded through posts about their families, health and jobs.
When a hacker took over her account in late 2020, her first thought was about privacy: All those intimate posts were now exposed to a stranger. She called one of the group members she knew personally and asked her to tell others that the group was no longer secure. Livingston lost touch with her new friends.
Other hack victims share similar frustrations. Heidi Hayes, an actor in Pittsburgh, could not access the materials for her acting classes that were all posted in Facebook Groups. Colleen O’Shea, a 61-year-old from Calgary, Alberta, watched her husband, Guy, gleefully share live video of their teenage son hitting a hole-in-one at a golf tournament.
When Guy lost his account to a hacker, they lost the video, too. It was the only copy they had. Not every hack story ends bleakly. Sometimes a stuck process comes unstuck, and people find that the same forms that led them in circles the day before are suddenly working.
That is what happened to Cassie Bonstrom, a 37-year-old nurse in Minneapolis who has a reputation among her friends for not giving up, like the time she put on a fancy dress and snuck into a celebrity-studded Golden Globes after-party.
Bonstrom talked often on Facebook Messenger with her lifelong friend who, because of difficulties communicating in person, relied on Facebook Messenger to keep in touch. In September, a hacker broke into her friend’s account and changed the profile name. Bonstrom managed to kick out the interloper by changing the password, but when she tried to fix the name, Facebook said she had to wait 60 days.
Bonstrom sent the request again and again and again. After her kids went to bed, she would sit down for her new part-time job: battling with Facebook. When the automated system returned a “no,” she would start over. After four days, the request went through.
All was as it should be. But Bonstrom found it strange that she could not get in touch with anyone at the company. “They have to have at least like 1,000 employees, right?” she said. Meta has tens of thousands of employees. The company says 40,000 are devoted to safety and security efforts.