By Patrick Robinson

UPDATE: My friend who was suffering with a Facebook hack has had her problem resolved. How? She reached out to the California State Attorney General's office. Meta is based there. They told Meta to fix this, and they did. But should it take that kind of extreme action? Real harm is being done to thousands of people across the nation. Just prior to the fix, the hacker had resorted to posting that "she" was dying and needed help through GoFundme. It started (as you can read below with threats and a bitcoin ransom.Then became an offer to sell home items, then finally the funding request. The hacker was escalating his efforts. Meta really needs regulation and at the least a better, more robust means by which hacked accounts can be suspended, making them useless to the hacker. Remember, YOU are the product Meta and facebook are selling. The ads are targeted to reach you. So in the grand scheme, it's as if you were on speeding train and you dropped a penny. You wouldn't stop the train for that. It's an acceptable loss. YOU to Meta are an acceptable loss. And that's not right.

ORIGINAL POST

It’s very easy to be complacent. The idea that you are safe and the world is not out to get you is a warm and fuzzy mindset. If that were not true, it would make you feel out of control, and that’s uncomfortable.

You know what is way less comfortable?

Being victimized by an anonymous criminal.

A good friend of mine got an email from a hacker in early July. It used a laughably broken english script that’s been around for a long time but the intent was dead serious.

He (let’s assume it’s a guy) indeed had her email password and claimed to have installed a “trojan virus” on her computer. This was untrue of course but the email script goes on to threaten her with posting pornography on her facebook page and to her friends. But to end the nightmare, she only had to send bitcoin to an email and he would release the hold on her account.

At this point it’s worth knowing that by some estimates 150,000 facebook accounts per day get hacked.  This isn’t including people who attempt to impersonate you by stealing some of your photos, your name and then sending messages to friends to “be friends” with them. Many unwary people go ahead and click through.

But back to the hacker. You would think Facebook would have an easy process to resolve these matters. Banks for example have you provide account information including your email and a number they can text to confirm identity.  Facebook not so much.

What they do have is an account recovery process. You go to a form and let them know your account has been hacked. Sounds simple. Except hackers thwart this process. Facebook is essentially all driven by algorithms and code. Very few people are actually involved. That’s understandable with five billion users.

What happens when you attempt to use that form is there’s a limit in place. You can only change your password once a day. Any further attempts are blocked. Hackers block you by simply changing the password on the hacked account using a simple computer script. The result is that you get a response from Facebook that you are “going too fast” and have exceeded the number of times you can change the password. There are a series of other steps you can take but they get even more confusing and lengthy.

Facebook also allows you to shut down the account. Millions have as they grow sick of what social media can often be, a dark angry collection of rants and complaints in addition to security problems. In the meantime, my friend ignored the hacker’s attempt to extort her. He went dormant for a few weeks. She thought it was over and she avoided Facebook. Then he popped up again with a post on her page seen by hundreds of people. He had blocked a swath of her friends from even seeing her page, but not all. His post stated that “she” was moving and wanted to sell a number of items from TV’s to computer gear and more all at heavy discounts. When one person messaged “her” they were told to send “half the money through a cash app and then the item could be picked up”, again a ridiculous gambit. But some might be gullible enough to fall for it.

Facebook has a further fallback recourse. Send an email to Disabled@fb.com and make your case. Which she did.. and which I did too just to amplify her message. There’s been no acknowledgement. Not even an automated “We have received your email and will review your comments.” Nothing.

There are even firms who offer guidance on how to get your account back with step by step instructions or will charge you for direct help. Not surprising since Facebook has made the process so convoluted.

“It makes you feel incredibly vulnerable and defenseless,” my friend said. She noted that at least eight of her friends have texted her asking about this.

She tried going through a site called Hacked.com but after paying a $95 fee was told there was nothing they could do and she should avoid the site for two weeks and then "try again". In the vacuum as you'd expect there are an untold number of people who can "help you" get your site back for a fee ranging from $50 (for the purchase of EDB code) plus an additional $100 fee for your actual log in credentials..except they can't prove they have access to your account. That's against their "policy" as if they had one. It's not just frustrating it's criiminal and all in the social media giant's shadow.. It's probably time for congress to hold more hearings to force Meta to commit more resources to help users reclaim their accounts rather than just shove them into an endless (and pointless) automated process. Meta is not just irresponsible here. They are complicit.

What is the lesson here? As annoying and dangerous and stressful as this is. It’s not the end of the world. It’s important not to panic. Not to minimize this or any other form of identity theft. It’s seriously illegal. According to the law firm Burg Theft Defense.

Washington state criminal penalties are divided into two general categories -- misdemeanors and felonies which are defined at RCW 9A.20.021.

Theft in the third degree (anything under $750) is a gross misdemeanor, punishable by up  to 364 days in jail and up to a $5,000 fine.

Felonies are categorized into class A, B or C felonies with class A felonies being the most serious. Each class of felonies carries the following maximum penalties:

• Class A Felonies: Up to life in prison and up to a $50,000 fine.
• Class B Felonies: Up to 10 years in prison and up to a $20,000 fine.
• Class C Felonies:Up to 5 years in prison nd up to a $10,000 fine.

Theft in the second degree (anything between $750 - $5000) is a Class B felony.  Theft in the first degree, (anything over $5000) is a Class B felony.

Make your passwords long (9 characters with at least one number), and set a calendar event to remind you to change them say every 90 days.

Facebook is obviously not the only place where identity theft happens. Another friend of mine had her website taken over and bank accounts drained. 

The US Government  has a good page on how to recognize and protect yourself from these people here. You can of course also sign up for a commercial ID theft insurance and Equifax has a good page talking about the costs and capabilities of these companies. They note that "compensation is usually limited to between $10,000 and $15,000."

it’s easy to be complacent. But it’s dangerous. And for my friend (and many others) the way back to sanity is not easy or clear.